Syrian rebels and Tibetan rights activists were the targets of two major cyberwarfare attacks in the past week—both of which used novel methods. Syrian opposition members were attacked by a Skype trojan that allowed outsiders to spy on their computers, while Tibetan activists were hit by a spoofed European Union email that hid malware on their systems. The two attacks happened within days of each other, and highlight an unfortunate truth. Just as mail bombs were used in prior conflicts to silent dissidents, cyberattacks are being used in 2012.
In the Tibetan attack, over 80 prominent activists in the Tibetan rights community received an email that appeared to be a copy of a June 14 European Parliament resolution on Tibetan self-immolations—a legitimate document. However, the email came from an unknown organization called the “Tibetan Welfareoffice” and was written in broken English:
Here is the new decision of EUROPEAN PARLIAMENT about tibetan human right in China, and it is so useful for us to strive for independent nation. Please forward it to tibetan.
While the email would raise suspicion among fluent English speakers, it was sent to an audience for whom English is a second or even third language. When the attachment (a Microsoft Word document containing, ironically enough, text from another EU document discussing Tibet) was opened, it exploits a Word vulnerability and inserts an executable worm onto the user's system. The Word document itself has carefully crafted metadata—much more carefully crafted than the English in the email text itself—and appears to have been deliberately released at a time when Tibetan activists would first be hearing about the resolution through the news.
Portions of the worm contain code identical to another worm that was discovered in American email boxes in May by Symantec. The May worm pretended to be an information packet for an upcoming European tour by the Dalai Lama.
When installed on a user's computer, malicious code communicates with a command and control server located in Hong Kong. The server's IP address belongs to DYXNet, a Chinese Internet service provider. Citizen Lab performed detailed analysis on the worm and, as they drolly put it, “[it] raises serious questions concerning misappropriation of the intellectual property and political resources of public entities—in this case, utilizing an European Parliament resolution to compromise the Tibetan community, the very individuals the European Parliament, on behalf of European citizens, sought to protect.”
Meanwhile, the Electronic Frontier Foundation has discovered a Skype-based worm targeting Syrian citizen journalists and opposition members. Unknown parties have been compromising Syrian users' Skype accounts to send surveillance malware disguised as an “important new video.”
In a sample case documented by the EFF, the compromised Skype account of a Free Syrian Army officer was used to send a malicious .pif file stored at mediafire.com to contacts under the guise of a video. Because the file was stored at Mediafire, users were unable to see that it was questionable.
The .pif file itself installs a Russian surveillance tool, Blackshades Remote Controller, onto users computers. Blackshades lets remote operators log keystrokes and take screenshots at will. According to promotional materials, “Blackshades Remote Controller provides as an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system. If you want to monitor all keystrokes on your computer while you are away, or want to make sure your child is being safe while using the computer, the built in tools such as the keystroke capturer, screen viewer and process manager will aid you to do so.”
Syrian rebels and opposition activists are urged by the EFF to use extreme caution in downloading any file attachments, even those sent by friends.
[Image: Flickr user marsmet543]