Researchers See Spike in Attacks Against Uyghur Users

Researchers have noticed a spike in cyberattacks over the past few weeks targeting the Uyghur people, a Turkic ethnic group based primarily in China and Kazakhstan. The attacks have been exploiting a Microsoft Word vulnerability patched in June 2009, according to a Securelist post by Kaspersky Lab Senior Security Researcher Costin Raiu yesterday.

UyghurResearchers have noticed a spike in cyberattacks over the past few weeks targeting the Uyghur people, a Turkic ethnic group based primarily in China and Kazakhstan. The attacks have been exploiting a Microsoft Word vulnerability patched in June 2009, according to a Securelist post by Kaspersky Lab Senior Security Researcher Costin Raiu yesterday.

The attacks happen after Uyghur supporters, particularly members of the World Uyghur Congress, receive a specially rigged Word document via a spear-phishing email. When victims open the file, they’ll see the real document but a second, fake document also pops up that drops a backdoor. The backdoor goes on to steal the user’s contacts, taking advantage of an old Word stack buffer overflow vulnerability (CVE-2009-0563).

AlienVault Labs, which worked with Kaspersky Labs on the investigation, has posted its account of the espionage campaign, pointing out one of the rigged Word documents is ironically titled “Rise in possible state-sponsored hacking”.

The Uyghur people are no stranger to malicious online attacks. Last summer Uyghur Mac users were targeted in an APT campaign that unleashed a MaControl Trojan, “Backdoor.OSX.MaControl.b” on their systems. That malware let attackers run commands on the infected computer and allowed attackers access to the victim’s files.

Tibetan and Uygur human rights groups were also targeted earlier this year by a twofold watering hole campaign. That campaign exploited both a Java and Internet Explorer zero-day and infected machines with a remote control Trojan.

It probably shouldn’t come as a surprise that many researchers have implicated China in these attacks. Kaspersky Lab researchers traced a command and control server that was communicating with the MaControl Trojan to an IP address in China last summer while researchers at Avast placed the blame on China in a blog entry discussing the watering hole attacks last month.

China has long viewed the Uyghur people as aggressors; a decade ago it even labeled the World Uyghur Congress as a terrorist organizations, claiming it was inciting unrest in the Xinjiang region of the People’s Republic.

Suggested articles