Information Warfare Monitor this weekend published a very interesting paper detailing their research into “a suspected cyber espionage network”. This research complements Trend Micro’s own ongoing research, since we first noted that the Tibetan Government in Exile’s own web site was compromised back in April of last year to serve malware through maliciously crafted image files.
The paper details a very extensive piece of research in several countries over the period June 2008 to Mar 2009 and presents evidence of a network of compromised machines which includes more than 1295 machines in 103 countries. 30% of the infected machines are said to be “high value” located in government networks (ministries and embassies), news media, Non Governmental Organisations (NGO) and international organisations.
While very careful not to explicitly point the finger of blame, the document’s conclusion does state that “The most obvious explanation, and certainly the one in which the circumstantial evidence tilts the strongest, would be that this set of high profile targets has been exploited by the Chinese state for military and strategic-intelligence purposes.”
In a prolonged and concerted attack, the authors of this botnet have combined spear-phishing, and social engineering with the now familiar botnet architecture, to gain full remote control over machines handling highly sensitive data which would be extremely useful to the Chinese state. Perhaps more disturbingly, where those compromised machines have external devices such as webcams or microphones installed these have also been under the remote control of the attackers, and have been observed to have been used for espionage purposes.
The network has been built by distributing booby-trapped documents over email, designed to appeal to those with an interest in the political situation in Tibet. Once the documents were opened, the machines are infected with a copy of gh0st RAT (Remote Access Tool), bringing them fully under remote control. TrendLabs were already seeing these documents in the wild back in July of last year, exploiting a (at that time) zero-day vulnerability in Microsoft Word (MS08-042)
The compromised machines seem to reporting to Command & Control (C&C) servers based in the People’s Republic of China which has been used to execute commands on the infected machines and to upload files from them to the botnet C&C machines. In some cases these stolen documents have been used to construct further spear-phishing mails to further the infection by lending credibility to the malicious content.
It is far from certain that this network is controlled, or even sanctioned by the Chinese state, in fact it has been explicitly denied by military and security analysts in China. We should already have learned from the example from the McColo takedown last year, the place where the servers are located (in that case the US) does not necessarily correspond to the location of the perpetrators. McColo, despite the name, are based in Russia.