Espionage Tactics Against Tibetans
A Citizen Lab research study of Chinese attack and espionage tactics against Tibetan networks and users.
This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on “inside” knowledge of community activities. This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.
We connect the attack group’s infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic. We provide further context on Scarlet Mimic’s targeting and tactics, and the intended victims of their attack campaigns. In addition, while Scarlet Mimic may be conducting malware attacks using other infrastructure, we analyze how the attackers re-purposed a cluster of their malware Command and Control (C2) infrastructure to mount the recent phishing campaign.
This move is only the latest development in the ongoing cat and mouse game between attack groups like Scarlet Mimic and the Tibetan community. The speed and ease with which attackers continue to adapt highlights the challenges faced by Tibetans who are trying to remain safe online.
News article.
Thoth • March 10, 2016 6:06 PM
@all
These exploits are simply methods that are out there. There are many higher assurance techniques available to improve security and some are already rather mature (i.e. hardware protection via smartcards) but the thing is most of our systems are simply not catching up. Research on microkernel and minimal TCBs, verifiable systems and such have existed for decades with small communities with little interest (due to resources and public interest).
We are still seeing people trying to harden Linux kernels with huge TCB baae to make it “secure” when we could have pushed more efforts into more secure microkernel directions (i.e Genode project).
We have hardware assisted login via security devices (i.e. FIDO devices) but the cost of deploying FIDO services for small servers and small groups can be tough duebto resources. Google supports FIDO login but the uptake of such measures to increase security is not seeing more use fast enough likely because people don’t want to carry yet another security device although fair enough a phone-based 2FA is enough to ruin a person’s day. Is this just technology being unstable for 2FA or people just being lazy on security ?
We know to be careful of clicking on suspicious links or opening email attachments but I guess not many of us bother to think twice before clicking on link or downloading email attachment contents despite nowing the risks.
This isn’t just a Tibetan issue but an issue on a global scale with bad actors ranging from lone wolf hackers to organised crimes and state actors.
Despite years on research and education on Security, we still have’t moved much in my opinion. Secure technologies are still something most common people shun and think it’s for the paranoid until something extremely nasty happens to them.