The security firm Alienvault reports that its own research on phishing attacks against non governmental organizations supporting the Tibetan Government in Exile is now being used as bait in a new round of phishing attacks on those same NGOs.
The firm warned the public on Monday about a round of spear phishing e-mails being sent to NGOs related to Tibet. The e-mails mentioned previous research by the company on targeted attacks against Tibetan organizations. The phishing e-mails contain malicious links and attachments, including a new variant of a malicious program that can infect systems running Apple’s Mac OS X operating system, Alien Vault warned.
Alien Vault researcher Greg Walton wrote in a blog post that the company had detected e-mails sent to NGOs involved with work on Tibet on Monday with the subject “Targeted attacks against Tibet organizations.” Those e-mails contained malicious attachments, including Java applet’s that exploit a common vulnerability in the Java Runtime Environment.
The attack used malware both for Windows and MacOSX devices, according to AlienVault researchers. The MacOSX Trojan used is believed to be a variant of the GhostNet family and was undetectable by antivirus products as of Monday, according to a post by AlienVault’s Jaime Blasco.
This isn’t the first time that the Tibetan Government in Exile and organizations supporting the Tibetan cause have been targeted. In 2009, researchers in Canada and the UK raised the alarm about a widespread and long standing espionage campaign, dubbed GhostNet, against governments, human rights organizations and others. That campaign included malware-based surveillance of the Tibetan Government in Exile and Free Tibet movement. Though no government has taken claim for the spying, most fingers point to the government of China, which closely monitors the doings of the Dalai Lama and the Tibetan Government in Exile.
In a report on March 13, AlienVault’s Blasco said that the company detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others.
Researchers there believe that the attacks originated with the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year – an intriguing link between industrial and political espionage that would seem to suggest government backing.
According to AlienVault, the attacks in mid-March began with a spear phishing campaign related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The phishing e-mails contained a contaminated Office file to exploit a known vulnerability in Microsoft. The malware that was ultimately installed on the machines of those who fell for the attack was a variant of the Gh0st RAT (remote access Trojan).
That malware, along with Poison Ivy remote administration tool is a common element in GhostNet attacks. In fact, Gh0st RAT was the same malware used in the Nitro attacks last year against energy and chemical industry firms. Other variants of it were used in the GhostNet attacks on governments, diplomatic missions and the private offices of the Dalai Lama in 2009. AlienVault claims that the variant it captured in the Tibetan attacks appeared to come from the same actors.