Cyber spies based in Chengdu, China have reportedly used phishing e-mail attacks and a bot network — abetted by social media — to steal top secret Indian government documents and visa information from Canadian citizens.
This information was uncovered by same researchers who brought to light the activities of a ring of hackers dubbed “Ghostnet” last year.
The University of Toronto’s Citizen Lab worked with Ottawa-based security research computer SecDev Group and other American researchers to uncover an even more widespread cyber espionage operation.
The researchers released their findings yesterday.
The Internet spy network has stolen documents such as data on India’s missile systems, the private correspondence of the Dalai Lama, and visa applications of Canadians looking to travel from Kabul, Afghanistan to New Delhi, India. The total number of stolen documents is greater than 700.
The hackers involved can’t be technically linked to the Chinese government, researchers say.
But some don’t doubt the secret information gleaned from stolen documents will fall into state hands. Hackers used publicly available social media services as a command and control network, including Twitter, Google Groups, Blogspot, Baidu Blogs, Blog.com and Yahoo! Mail.
“The social media clouds of cyber space have a dark, hidden core,” said Ron Deibert, director of Citizen Lab. “You’re only as secure as the weakest link in your chain of connections.”
The researchers detail how hackers used social media services as vehicles for spying in their report, Shadows in the Cloud. The attackers used five Yahoo Web mail accounts, three Twitter accounts, 12 Google Groups, eight Blogspot blogs, nine Baidu blogs and 16 Blog.com sites. By using connections routed through social network, hackers were able to disguise their botnet traffic and avoid detection.
Once a computer was infected by the hackers, malware connected to the five Yahoo Web mail accounts and created a unique folder in the Inbox of the mail account.
An e-mail containing the computer’s name, operating system and IP address was inserted into this folder. Next, an attacker would send an e-mail to the account containing a command and additional malware, which would then be downloaded and executed by the compromised computer.
Using social media for command and control servers is nothing new, explains Brian Bourne, president of CMS Consulting, a Toronto-based Microsoft partner. It has replaced use of IRC ports by hackers to disguise their malicious traffic.
“You don’t really have a good way to shut down access to Twitter, and it all looks like normal traffic,” he says. “It doesn’t take a lot of work to set up a Twitter account.”
One example of a command control system running via social media is the Kreios C2 toolkit. Though not elegant or stealthy, the Ruby-based application has proven good enough to organize large networks of infected computers over Twitter, through JPEG images, and via TinyURL. It has also infected LinkedIn, where it can edit status messages.
While social media provides some of the control over the infected computers, more typical e-mail-based attacks are used to infect computers. Ghostnet hackers used infected PDF and Microsoft Word documents attached to phishing e-mail messages designed to fool users into opening the file.
“They’ll use specific information gleaned from a previous attack,” says Nart Villeneuve, chief research officer at SecDev Group. “The goal is to get the user to open the attachment … this will exploit a flaw in the users’ software.”
The attack methods used by these cyber spies are far from sophisticated, Bourne says. There is nothing new or advanced here, just run of the mill hacking tricks.
Still, “there’s no simple fix,” he says. “The only thing you can have reasonable control over is how easy or how hard it would be to install bots in your network.”
Antivirus software can help do that somewhat, he adds. But the best thing users can do is make sure their systems are up to date and patched. Users must also be on the lookout for potential phishing e-mail messages.
Citizen Lab has notified the Indian government about the breach. There is no way to establish a link between the hackers in Chengdu and the Chinese government, says Greg Walton, a researcher with the lab.
China has recently come under fire for attacks launched against Google that also originated within the country. This led Google to stop its censoring of Internet search results in China.
The hackers are located in Chengdu, Walton notes. There is also a Chinese military intelligence agency based in that area that is focused on southeast Asia.
“That could all be a coincidence,” he says. “There are intelligence stations all over China.”
Citizen Lab identified the five Yahoo e-mail addresses used by the hackers. They are:
Follow Brian Jackson on Twitter.