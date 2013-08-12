* Expert says may be effort to spy on human rights experts
* Hackers use two-stage campaign known as "water hole"
attack
* They exploit Java bug to infect Windows PCs, Macs
By Jim Finkle
BOSTON, Aug 12 A prominent computer security
firm warned that the Dalai Lama's Chinese-language website has
been hacked and is infecting visitors' computers with viruses in
what may to be an effort to spy on human rights activists who
frequently visit the site.
Kaspersky Lab researcher Kurt Baumgartner told Reuters on
Monday that he is advising web surfers to stay away from the
Chinese-language site of the Central Tibetan Administration, or
CTA, until the organization fixes the bug. He described the
attack on his company's blog:
Technical evidence suggests the group behind the campaign
was also responsible for previous breaches on that site as well
as attacks on groups that focus on human rights in Asia,
Baumgartner said.
Those breaches involved a two-stage attack technique known
as "water holing," where hackers first infect a site that is
frequently visited by people whose computers they want to
control. That compromised site automatically seeks to infect the
PCs of all visitors, downloading malicious software that the
hackers can use to take control of their computers.
Officials with the Office of Tibet in New York could not be
reached for comment. That office is the official representative
to the United States for the Dalai Lama, Tibet's 78-year-old
exiled spiritual leader, who fled China to India in 1959 after
an abortive uprising against Chinese rule.
Beijing considers the globe-trotting monk and author a
violent separatist and Chinese state media routinely vilify him.
The Dalai Lama, who is based in India, says he is merely seeking
greater autonomy for his Himalayan homeland.
Baumgartner said that the Chinese-language site of the
Central Tibetan Administration, which is the official organ of
the Dali Lama's government in exile, has been under constant
attack from the same group of hackers since 2011, though
breaches have been quietly identified and repaired before
garnering significant attention.
SAME GROUP OF ATTACKERS
"They have been trying repeatedly to find vulnerabilities in
the site," he said.
He said that it is safe to visit the group's English and
Tibetan sites.
He said he believes the same group of attackers has
repeatedly infected the site with malicious software that
automatically drops viruses on computers running Microsoft
Corp's Windows and Apple Inc's Mac operating
systems.
They infect machines by exploiting security bugs in Oracle
Corp's Java software, he said. An Oracle spokeswoman
had no immediate comment.
That gives them "back doors" into those computers. "This is
the initial foothold. From there they can download arbitrary
files and execute them on the system," Baumgartner said.
Will Gragido, a researcher with the RSA security division of
EMC Corp who is an expert on water holing, said the
attack on the Tibetan site had the look of a type of campaign
known as an "advanced persistent threat," or APT.
In some cases APTs are launched through tainted emails. In
others this is done through "water holes," which are named after
specific locations that lions stake out to attack their prey,
rather than traveling the wild to hunt them out.
"The CTA is a site most people are not going to traverse,"
Gragido said. "They are less likely to see my grandmother
traversing that site than they are somebody with a vested
interest in seeing what's going on in Tibet."
In March of last year, the cybersecurity firm AlienVault
Labs reported that it identified cyber attacks on Tibetan
organizations including CTA and the International Campaign for
Tibet.
AlienVault said those attacks were engineered by a Chinese
APT group also responsible for the "Nitro" attacks on dozens of
companies identified by Symantec Corp in 2011.
The report of the cyber attack is the latest to involve
human rights groups in greater China.
Human rights groups and other NGOs focused on China were hit
by denial of service attacks that disrupted their websites and
several said their emails were infiltrated during a spate of
cyber attacks attributed to China in 2010 and 2011.