Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [governance] Report: cyber-espionage against NGOs, activists and journalists

Sivasubramanian M isolatedn at
Sun Sep 26 22:40:18 PDT 2010

And, from the Privacy list:   NYTimes: U.S. wants access to *all* encrypted
Internet communications  (New York Times)

On Mon, Sep 27, 2010 at 10:38 AM, Sivasubramanian M <isolatedn at>wrote:

> In other parts of the world, it is not exactly torture and a prison term,
> but activists, NGOs and journalists can't possibly be euphoric that their
> communications are private and free of surveillance. China makes news, china
> is loud in its methods, but elsewhere around the world the same is possibly
> happening in a lesser degree in a more subtle, undetected form. Can it be
> argued that other Governments anywhere do not use available technology to
> monitor activists NGOs and journalists?
> Sivasubramanian M
> On Sun, Sep 26, 2010 at 9:09 PM, Rebecca MacKinnon <
> rebecca.mackinnon at> wrote:
>> From the South China Morning Post Sunday Magazine.
>> Chain of commands Mainland authorities are detaining individuals for
>> perceived crimes committed online. But how do they access such incriminating
>> information? Paul Mooney
>> Updated on Sep 26, 2010When Norzin Wangmo used her computer and mobile
>> phone two years ago to communicate with friends about protests in Tibet, she
>> had no idea it would result in her torture and a five-year prison sentence.
>> Detained soon after sending the messages, the 30-year-old Tibetan
>> government worker and writer was accused by officials of using the
>> technology to inform the outside world about civil unrest in Tibet.
>> After months in detention, during which her friends said she was tortured,
>> the five-year prison term was handed down. Few other details about Norzin
>> Wangmo, who leaves behind a young son, are known.
>> No one is sure how Chinese intelligence obtained the details of her
>> communications. But the story is a frightening example of the dark side of
>> internet espionage on the mainland, where people perceived to be a threat to
>> the state are targeted, including ordinary Chinese citizens, scholars,
>> human-rights workers, journalists, diplomats and businesspeople.
>> Many security experts who study China believe the government is being fed
>> information by a loose and shadowy network that includes the hacker
>> community, organised crime and other parts of government, including security
>> agencies and the People's Liberation Army (PLA).
>> "The sheer amount of energy and resources the Chinese government has
>> thrown at this is enormous," says Lhadon Tethong, director of the
>> Canada-based Tibet Action Institute, which helps Tibetans fight for rights,
>> primarily through the safe exchange of information, using sophisticated
>> technology.
>> Many victims of internet espionage are quick to point a finger at the
>> central government.
>> "Who else would attack us?" asks Chine Chan, a researcher for Amnesty
>> International Hong Kong. "It doesn't make sense unless it's the government."
>> Security experts, however, are careful to explain that no smoking gun has
>> yet been found linking the hacking and the use of malware - malicious
>> software designed to secretly access a computer system - to Beijing.
>> Greg Walton, an independent cyber security researcher based in Britain,
>> believes the attacks are the work of groups of players. He points to
>> Chongqing, where there is a concentration of internet espionage control and
>> command centres, as an example.
>> "Chongqing is interesting in that it's like a nexus of organised crime,
>> the party, a big computer-hacking scene and all sorts of PLA installations,"
>> he says. "It's a combination of many forces that do these attacks. It's not
>> a secret that the data is ending up with the state. Any other explanation is
>> improbable."
>> Experts say the spying is highly organised and professional, with some
>> hackers working in shifts, even making note of when targets are having lunch
>> or taking breaks.
>> It is also likely that many hackers are working independently and some
>> targets are being compromised by more than one malware group, says Nart
>> Villeneuve, a researcher at the Information Warfare Monitor (IWM), whose
>> members include the Citizen Lab, Munk School of Global Affairs, the
>> University of Toronto and the SecDev Group, a security consultancy based in
>> Canada.
>> Walton says patriotic hackers are probably selling information to the
>> government, providing it with "another layer of deniability".
>> Since last year, IWM has published two reports on cyber-espionage
>> networks: "Tracking GhostNet: Investigating a Cyber Espionage Network" and
>> "Shadows in the Cloud: An investigation into cyber espionage 2.0."
>> GhostNet is the name investigators have given to a network of more than
>> 1,200 compromised computers in 103 countries, including foreign affairs
>> ministries, embassies, international organisations, news organisations and a
>> computer in the headquarters of Nato. The network's command and control
>> centre appears to be on Hainan Island, home of the Lingshui signals
>> intelligence facility and the Third Department of the PLA.
>> In September and October 2008, IWM investigated alleged cyber espionage on
>> the computer systems in various offices related to the work of the Tibet
>> government in exile and other Tibetan groups. These included the Office of
>> His Holiness the Dalai Lama, in Dharamsala, India, organisations in the
>> United States, Britain, France, Belgium and Switzerland, and the office of
>> Drewla, an NGO which runs an online outreach project that uses young
>> Chinese-speaking Tibetans to talk with people in the mainland about the
>> situation in Tibet.
>> The GhostNet report said some 70 per cent of the control servers behind
>> the attacks on Tibetan organisations were located on IP addresses assigned
>> to the mainland.
>> During an investigation at the Dalai Lama's private office, Walton
>> observed as documents were being pilfered from the computer network,
>> including a file containing thousands of e-mail addresses and another
>> detailing the negotiating position of the spiritual leader's envoy.
>> During the investigation into the so-called Shadow Network, investigators
>> were able to obtain data taken by the attackers, including some 1,500
>> letters sent from the Dalai Lama's office between January and November last
>> year. While the report said many of the letters did not contain sensitive
>> information, it added that they allowed the attackers to collect information
>> on anyone contacting the exiled spiritual leader's office.
>> The team traced the attacks to hackers apparently in Chengdu, which is
>> also the location of one of the PLA's technical reconnaissance bureaus
>> charged with signals intelligence collection. Researchers said one hacker,
>> who used the cyber name "lost33", had attended the University of Electronic
>> Science and Technology of China, which publishes manuals on hacking and
>> offers courses on network attack and defence security.
>> The authors said an anomaly was detected when analysing traffic from the
>> offices of the Tibet government in exile: computers in Dharamsala were
>> checking in with a command and control server situated in Chongqing. Despite
>> Chongqing Communist Party chief Bo Xilai's high-profile anti-corruption
>> campaign, the city still has a high concentration of gangs said to have ties
>> to the government and which have extended their traditional criminal
>> activities to include cyber crime.
>> While Walton admits no direct link to the central government has been
>> detected, he does not seem to have any doubts about who is behind the
>> attacks.
>> "Some people shy away from saying it's the state," he says, "but there's a
>> growing body of evidence. My own feeling is that sooner or later someone
>> will be able to prove it."
>> The "Shadows in the Cloud" report, which Walton contributed to, points to
>> the existence of a vibrant hacker community in the mainland "that has been
>> tied to targeted attacks in the past and has been linked, through informal
>> channels, to elements of the Chinese state, although the nature and extent
>> of the connections remains unclear".
>> The authors allude to a "privateering" model in which the government
>> authorises citizens to carry out attacks against "enemies of the state".
>> However, the report referred to research by Scott Henderson, author ofThe
>> Dark Visitor: Inside the World of Chinese Hackers. Henderson wrote that
>> there was disagreement about the exact relationship between hackers and the
>> state, running from "authorise" to "tacit consent" to "tolerate".
>> The most plausible explanation, the report said, and the one supported by
>> the evidence, is that the Shadow Network is based in the mainland and run by
>> one or more people with close ties to the country's criminal underworld.
>> The report concluded: "As a result, information that is independently
>> obtained by the Chinese hacker community is likely to find its way to
>> elements within the Chinese state."
>> Lhadon Tethong says security experts she's spoken to consider the cyber
>> war "a lost game" but that she takes a different approach - trying to remain
>> one step ahead of the mainland authorities.
>> "We're looking at new technologies that haven't come out yet and how they
>> can be used in Tibet," she says. "The Chinese government can control your
>> BlackBerry or laptop, but let's look beyond that, at iPads and Android
>> technology [a mobile-phone operating system developed by Google]. You cannot
>> stop it. The force is just too strong.
>> "We worked with young and innovative technical experts and geeks from the
>> beginning," she says. "The optimistic part is that the advances in
>> communications technology are happening so quick that the Chinese
>> bureaucracy can't keep up. Saying you can't do this or that because they're
>> too good is just not true."
>> She cites the microblogging service Twitter, which the authorities managed
>> to block. Before that, Tibetan activists had found it a useful tool for
>> getting their message across both within and outside the mainland.
>> "You can block one site and another will pop up, and it won't take long
>> before people find it," she says. "You can try to control it but there's no
>> way to stop it and I think they know that."
>> Chan agrees. "The trend can't go back. It's important to learn how to get
>> around [the controls]. If civil society grows faster than the government
>> controls, then you win."
>> Meanwhile, the attacks are increasing in number and in sophistication.
>> On March 18, people on the mailing list of Human Rights in China (HRIC)
>> received an e-mail that appeared to be from director Sharon Hom. The subject
>> line - "Microsoft, Stool Pigeon for the Cops and FBI" - convinced many
>> recipients to take a look at the enclosed attachment. Within seconds the
>> e-mail was flying around cyberspace, with thousands receiving it and passing
>> it on to others.
>> But the e-mail was not from Hom. It was a "spear phishing" e-mail that
>> lured recipients to visit a compromised website in Taiwan. Those who clicked
>> on the link unknowingly loaded malware that allowed the attackers to take
>> control of their computers from a server in Jiangsu province.
>> In a report on the HRIC attack, Villeneuve wrote that the malware spread
>> via the e-mail was traced to a command and control centre in Jiangsu. He
>> said the nature of the compromised entities and the data stolen by the
>> attackers indicated correlations with the mainland's strategic interests.
>> But he concluded that "we were unable to determine any direct connection
>> between these attackers and elements of the Chinese state".
>> Earlier this year, a foreign journalist was conducting a text conversation
>> on Skype with Tsering Woeser, a Beijing-based Tibetan poet and commentator,
>> when the journalist received an article over the internet service. When the
>> suspicious reporter called Tsering Woeser to ask about the file, she was not
>> even home. Someone had hijacked her account and started conversations with
>> 30 of her Skype friends, several of them journalists. They even imitated the
>> way the poet spoke. Some were tricked into downloading malware. This was the
>> second hijacking of her Skype account in two years.
>> Most cyber attacks rely on a tactic known as "social engineering",
>> manipulating people to get them to provide computer access through trickery,
>> rather than technical hacking.
>> "At the root it's not technology," Walton says. "The deeper the
>> penetration, the more intelligence they can feed into a social engineering
>> attack. If I look at your computer, I can draft e-mails that you will trust
>> more and more."
>> Robbie Barnett, director of the Modern Tibet Studies programme at Columbia
>> University, in the United States, says the attackers are getting
>> increasingly sophisticated in their use of social engineering. They use the
>> names of people you know, refer to an incident over the past 48 hours, often
>> with a provocative subject, and may even have the actual sender's real
>> e-mail address. He says no one can be 100 per cent safe, no matter what
>> precautions are taken.
>> "Eventually, they hit a bull's eye," Barnett says, "They send you a letter
>> from a Tibetan who's just written to you and could easily be sending
>> something to you. Even if you've been careful for years, you could fall for
>> it."
>> Typically the target receives an e-mail appearing to be from an
>> acquaintance. Often it mentions some sensational detail that lures the
>> victim into opening a file or visiting a website that opens a backdoor,
>> where malware can be planted.
>> Control is often maintained through the use of the Chinese Gh0st RAT
>> (remote access tool). These trojans enable nearly unrestricted access to the
>> infected system. The attacker can then carry out surveillance of the
>> attacked computer, pilfer files and e-mails and send data to other
>> computers, and use the infected computer as a platform to launch future
>> attacks against computers around the world.
>> "It's all part of a trend that I've been watching for a decade," says
>> Walton, "pushing surveillance of the population from the network to the
>> desktop.
>> "Everything you can do, they can do - it's like they're sitting in front
>> of your computer. They can turn on the webcam, the microphone and access
>> documents. Someone is staring back at you through your webcam. It's
>> Orwellian."
>> While much of the activity seems focused on gathering intelligence and
>> disruption of operations, in some cases the attacks are more dangerous. In
>> July, the website of Chinese Human Rights Defenders was shut down several
>> times by direct denial of service (DDOS) attacks. In April, the Foreign
>> Correspondents' Club of China was forced to take its website offline
>> temporarily after being repeatedly hit by DDOS attacks.
>> In January, Google announced it had found "a highly sophisticated and
>> targeted attack on our corporate infrastructure originating from China that
>> resulted in the theft of intellectual property". The attack was said to have
>> targeted the Google e-mail accounts of Chinese human-rights activists.
>> Journalists have also become a target. In April, Andrew Jacobs, Beijing
>> correspondent for The New York Times, wrote an article detailing how his
>> computer had been hacked and e-mails redirected to an unknown address.
>> Jacobs said scores of foreign reporters in the mainland had experienced
>> similar intrusions.
>> Last September, several foreign news bureaus in Beijing began receiving
>> e-mails from "Pam", who said she was an economics editor. The e-mails, which
>> were in well-written English and included a list of genuine contact names,
>> detailed a proposed reporting trip. However, when the attached PDF was
>> opened it unleashed malware.
>> Walton and Villeneuve, who studied the virus, said in a report that the
>> file appeared to be a legitimate document that had been stolen from a
>> compromised computer, which was then modified to include malware and serve
>> as a lure. While they said the malware could not be traced back to the
>> central government, the recipients were Chinese news assistants, whose
>> e-mail addresses were not widely known to the public, but were to the
>> Ministry of Foreign Affairs.
>> Richard Baum, moderator of Chinapol, an online community of more than 900
>> China watchers, including journalists, lawyers and analysts, says the group
>> has suffered "a certain amount of leakage" of membership lists and e-mail
>> traffic. Members have also received phishing e-mails. Recently, an e-mail
>> was sent to some members purporting to be the new member e-mail list, which
>> had a malware attachment.
>> Walton says data was being sent back to a computer in Chongqing within 30
>> seconds of the malware being accepted.
>> In the HRIC incident, a member of Chinapol sent the e-mail to all its
>> members, some of whom in turn passed it on to their acquaintances.
>> What's troubling is anti-virus software used by the general public is not
>> always effective in catching these viruses. In the case of the HRIC attack,
>> there was very low anti-virus cover, with only eight out of 42 anti-virus
>> products detecting the file as malware, the investigation found. In the case
>> of the news assistants who downloaded malware, only three of 41 anti-virus
>> products used by VirusTotal, a service that analyses suspicious files and
>> URLs, detected the malicious code embedded in the PDF file.
>> Fake e-mails also create confusion. A human-rights activist in Hong Kong
>> tells of an e-mail sent out in her name revealing certain information only
>> known to people she worked closely with.
>> "This is their way of saying, `We know who you are and what you're doing',
>> to make you feel scared," she says. "Even if people know the e-mail is not
>> from me, the damage is already done. The next time they'll ask if it's
>> really from me."
>> HRIC's Hom says: "This is seriously raising security issues for us. It
>> makes every NGO, every journalist, every contact ask if they get an e-mail
>> from me if it's real. As a small NGO we don't have the resources, technical
>> expertise and capacity to guard ourselves against such high-level attacks.
>> It makes it very difficult for us to do our work.
>> "How can any organisation, company or government function if communication
>> with other persons or organisations runs the risk of a malware attack that
>> undermines the trust in the organisation? The biggest impact on us is we
>> have to be extremely careful not to compromise the security of the people
>> we're dealing with."
>> One example of this, from the GhostNet report, is that of a young Tibetan
>> woman who was returning to her village after having worked for two years in
>> India. She was stopped at the Nepal-Tibet border by Chinese intelligence
>> officers. The woman was taken to a detention centre, where she was
>> interrogated about her connection with Drewla.
>> She insisted she had gone to India just to study, denying any political
>> involvement, but her claims were waved away. The officers then pulled out a
>> dossier on her activities in India, including transcripts of her online
>> chats about Tibet.
>> She was held for two months and then allowed to return to her village.
>> As a result, many activists are now reluctant to send information over the
>> internet and even delete e-mails from people they don't know or that look
>> suspicious. The result is less information is getting through to the people
>> who need it.
>> "It's caused a lot of problems for me," says Tsering Woeser, who is often
>> under police surveillance. "First, because of my situation, I can only
>> contact my friends through Skype and e-mail, and now some Tibetan friends
>> are afraid to contact me. I'm getting much less information than before.
>> It's a huge interference."
>> Tsering Woeser says her internet activities are constantly probed. In a
>> recent incident, she received an e-card from dissident writer Yu Jie, which
>> turned out to be a phishing spear. She says that at least once a month a
>> person pretending to be a Tibetan attempts to make contact with her online.
>> "But what I worry about most is that the people who are in contact with me
>> may get into trouble and I won't even know about it," she says.
>> Barnett also depends on sources to provide him with news from tightly
>> controlled Tibetan areas. He says he, too, is now receiving far less
>> information than in previous years. "The deterrent effect on people sending
>> information is very effective," he says. "This is having a massive effect on
>> the limitation of outsiders finding out what's happening in China. A lot of
>> it works by fear, intimidation and self-censorship. People are worried about
>> interception."
>> Barnett says this climate of surveillance suggests to anyone considering
>> sending information "that they should think twice".
>> The culture of security in China, he says, means the government only has
>> to go after a few people to have a deterrent effect.
>> "You only have to pick up three people for passing on information and that
>> will deter hundreds of thousands of others," he says. "The system may now be
>> more powerful than us."
>> Walton says there has been a clear increase in the number of incidents
>> this year, although he cautions that this may be due to the fact people are
>> more on the lookout for these things.
>> "There's more awareness and people are suspicious of links and e-mails,"
>> he says. "In terms of forward trends, I see a continuous escalation of these
>> attacks. People are being compromised every day and I'm getting examples on
>> a daily basis."
>> Experts say that if Beijing is not responsible for the attacks, it has a
>> responsibility to shut down hackers working within its borders.
>> "I have never and still don't make the claim that it was the government,"
>> Hom says. "But if China insists on internet sovereignty and sovereignty over
>> its territory, it has to take responsibility for these kinds of cyber
>> attacks. It has to show the international community that it has taken steps
>> to investigate, track down and end these attacks."
>> Rebecca MacKinnon
>> Schwartz Senior Fellow, New America Foundation
>> Co-founder,
>> Cell: +1-617-939-3493
>> E-mail: rebecca.mackinnon at
>> Blog:
>> Twitter:
>> ____________________________________________________________
>> You received this message as a subscriber on the list:
>>     governance at
>> To be removed from the list, send any message to:
>>     governance-unsubscribe at
>> For all list information and functions, see:
>> Translate this email:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list