Vulnerabilities / Threats
4/6/2010
05:05 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Data Stolen From India, UN, Dalai Lama Traced To China

A report on cloud-based cybercrime details the activities of a gang of computer hackers believed to be operating out of Sichuan Province in China.

Just as in January, computer hackers based in China are being accused of cyber espionage and the Chinese government is denying involvement and calling the charges groundless.

In January, the targets were Google, dozens of other companies, and the e-mail accounts of human rights activists. Following revelations about the incident, Google said it would stop censoring search results in China, a decision that led the company recently to redirect queries from mainland China to Google servers in Hong Kong.

This time, the targets are the Indian Ministry of Defense, the United Nations, and the Office of the Dalai Lama, among other organizations.

There's a noteworthy difference in the two attacks, however: The security experts who revealed the attacks managed to track the perpetrators over eight months.

As a consequence, the researchers were able to obtain copies of various sensitive and classified documents from the hackers. These documents included files taken from governments, businesses, academic institutions and other entities.

Some of the stolen data consisted of visa applications provided to Indian embassies, for example. Other data recovered included some 1,500 letters sent from the Dalai Lama's office between January 2009 and November 2009.

The researchers said they handled the sensitive files responsibly and notified affected organizations.

The report on the attack, published by Information Warfare Monitor -- made up of Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, and the SecDev Group -- and the Shadowserver Foundation, is called Shadows in the Cloud: An investigation into Cyber Espionage 2.0.

The authors of the report contributed to a similar investigation last year called GhostNet that found circumstantial evidence pointing to attackers located in China.

The "Espionage 2.0" designation represents an attempt to differentiate between previous hacking methods and an emerging approach that relies on "the misuse of social networking and cloud computing platforms, including Google, Baidu, Yahoo, and Twitter, in addition to traditional command and control servers."

The researchers identified three Twitter accounts, five Yahoo Mail accounts, twelve Google Groups accounts, eight Blogspot blogs, nine Baidu blogs, one Google Sites account, and 16 blog.com blogs that were part of the attackers' infrastructure.

The malware used to compromise victims typically involved an element of social engineering, to convince recipients to open infected files. The attackers used PDF, PPT, and DOC files to exploit old and recent vulnerabilities in Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003.

The report concludes by warning that the selling points of cloud computing -- reliability, distribution, and redundancy -- are the very properties that make cloud services attractive to cybercriminals.

"Clouds provide criminals and espionage networks with convenient cover, tiered defenses, redundancy, cheap hosting and conveniently distributed command and control architectures," the report says. "They also provide a stealthy and very powerful mode of infiltrating targets who have become accustomed to clicking on links and opening PDFs and other documents as naturally as opening an office door. What is required now is a much greater refection on what it will take, in terms of personal computing, corporate responsibility and government policy, to acculturate a greater sensibility around cloud security."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.