Antivirus provider Trend Micro has released a research paper that links breaches against the computers of Tibetan activists and companies in Japan and India to a hacker in the Chinese underground.
An article published on Thursday in the New York Times later identified the intruder as a Chinese former graduate student who now “apparently” works for Tencent, China’s leading Internet portal company, according to online records cited by the news organization. It was one of the few times people investigating espionage-style malware attacks have put a public face on an alleged perpetrator.
Trend Micro researchers tracked the targeted campaign called “Luckycat,” which initially was believed to target Indian military research institutions. They found that it also attacked military research institutes and aerospace, energy, engineering, and shipping companies in Japan, as well as Tibetan activists. The campaign began as early as June, 2011, and can be credited with at least 90 attacks that compromised 233 computers.
The Trend Micro researchers, led by Nart Villeneuve, traced the hacks to an e-mail address used to register one of the command and control servers the malware accessed. That e-mail address was then found to map to a Chinese instant messaging account belonging to a Chinese hacker, ““dang0102.”
“The same hacker also published a post on a student BBS of the Sichuan University using the nickname, “scuhkr,” in 2005,” the report stated. “He wanted to recruit 2-4 students to a network attack and defense research project at the Information Security Institute of the Sichuan University then. Scuhkr also authored articles related to backdoors and shellcode in a hacking magazine that same year.”
The New York Times subsequently traced the “scuhkr” nickname to “Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.”
This connection does not prove the campaigns are officially sanctioned by the Chinese government. But “(t)he fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” the Timesquotes former diplomat James A. Lewis as saying. “A private Chinese hacker may go after economic data but not a political organization.” Lewis is director at the Center for Strategic and International Studies in Washington.
The Luckycat hackers used contextual e-mails purporting to represent topics of interest to Tibetan activists, including self-immolation, to get malware into their machines. This was the hackers’ standard operating procedure across targets. They used five families of malware, free Web hosting services for their command and control machines and a malware called TROJ_WIMMIE, in addition to others. This malware exploited CVE-2010-3333 (aka, Rich Text Format Stack Buffer Overflow Vulnerability) in several instances, as well as leveraging Adobe Reader and Flash Player vulnerabilities.
On Thursday, Ars reported that similar advanced persistent threats are now starting to migrate from Windows machines to computers running Apple’s OS X.