Study Confirms Uyghur Remain in Crosshairs of Targeted Attacks

A research paper to be delivered next week at USENIX takes a deep look into the reconnaissance nation-states undergo in order to craft email-based attacks against non-governmental organizations.

It’s no secret that activists groups supporting the Uyghur and other ethnic minorities living either in exile or in oppressed nations have been in the crosshairs of targeted attacks for years. Regimes use phishing emails, other social engineering tactics, and drive-by downloads to infect computers belonging to dissidents in an attempt to monitor their communication and in some cases, their physical location.

One such ethnic minority, the Uyghur of China, for example, have been relentlessly targeted and a recent study published by researchers at Northeastern University in Boston and the National University of Singapore took an expansive look into targeted attacks against the World Uyghur Congress, a non-governmental organization (NGO). The researchers published a paper called “A Look at Targeted Attacks Through the Lense of a NGO” that examines the reconnaissance that goes into email attack campaigns against Uyghur people. The paper is scheduled to be presented at the USENIX Conference next week in San Diego

The attackers go to great lengths to infiltrate their victims, tailoring phishing messages with precision in respect to the language and specialization of the victim, the paper said. Emails are spoofed often from compromised accounts belonging to high-value members of the WUC activist community. Like targeted attacks against industry and governments, victims are tricked into opening infected attachments that unleash malware that connects to the attacker via a backdoor, sending keystrokes, stolen data and system information back to a remote server.

Worthy of note, none of the incidents investigated involved a zero-day vulnerability.

Worthy of note, none of the incidents investigated—the researchers looked at 1,493 suspicious emails voluntarily turned over by two members of the NGO—involved a zero-day vulnerability. Most were recently disclosed flaws that had been patched.

“WUC employees constantly receive suspicious emails impersonating their colleagues and containing malicious links and attachments,” the paper said. “These emails consistently evade spam and malware defenses deployed by webmail providers and are often relevant to WUC’s activities. In fact, our volunteers claim that the emails are often so targeted that they need to confirm their legitimacy with the impersonated sender in person.”

The two volunteers turned over the content of the 1,493 emails received during a four-year stretch—more than one a day on average. Close to 1,200 of those messages contain malware attached to a Microsoft Office document, Adobe PDF files, or malware compresses in a ZIP or RAR file.

The attacks are not opportunistic; the attackers exploit the trust the user has in the supposed sender, either in their spoofed email address or in a phony addressed that contains a slight typo. Generally, the researchers discovered, that several members of a NGO are attacked simultaneously and usually, emails are related to a popular WUC event.

Popular defenses such as email and webmail filtering have relatively low detection rates in these attacks, the paper said. Most of the email attacks rely on relatively new vulnerabilities that have not been incorporated into signature-based defenses, the researchers said. A number of the attacks match patterns attributed to some known advanced persistent threat campaigns sponsored by nation states, they added.

Groups such as Citizen Lab at the Munk School of Global Affairs at the University of Toronto have been active in exposing these campaigns and in offering awareness and assistance to groups such as the Uyghur. More than a year ago, for example, they exposed campaigns using Android-based malware that reported physical location back to an attacker. They also instituted a program called Detach from Attachments that educated activists about the potential dangers associated with email attachments and of the need to safely move away from them.

Experts told Threatpost at the time that the Chinese want to keep Tibetan activists from communicating and coordinating demonstrations and protests, and have moved on from exclusively using email-based attacks to using watering hole attacks and mobile-based malware for surveillance.

“Of course what’s disturbing and alarming is that the authorities would be interested in getting [Tibetans] to install this kind of surveillance tool ourselves on our own phones,” said Lhadon Tethong, director of the Tibet Action Institute at the time. “It doesn’t take much to track people. It’s alarming, but not all surprising or new for us.”


Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.