Chinese hackers & Operation ‘Luckycat’ against Japan, Tibet and India

Pierluigi Paganini April 02, 2012

Recently experts monitored several targeted attacks against Tibetan activist organizations including the International Campaign for Tibet and the Central Tibet Administration. Researchers suspect the involvement of China and on groups of hackers sponsored by the Beijing government. In multiple cases, we have seen how the Chinese government promotes and supports from the economic point of view these initiatives.

The experts of the AlienVault Lab have hypothesized that the group of Chinese hackers was the same responsible for the attacks against chemical and defense companies late last year in an operation named ‘Nitro’.

The attacks carried out using a tested scheme starting with a spear phishing campaign that uses an infected Microsoft Office file to exploit a known vulnerability in Microsoft. As usually the content of the email refer a topic of interest for the final target, in this case, related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The vulnerability that has exploited is known Office stack overflow vulnerability (CVE-2010-3333).

The malware used is a variant of Gh0st RAT, a well know remote access Trojan, that enables to acquire the total control of the target allowing documents theft and cyber espionage. Gh0st RAT was the tool also used in the Nitro attacks and the instance isolated in the last attacks against Tibet is correlated to it, the intent this time is to infiltrate organizations for political reasons.

Researchers identified five families of malware, free Web hosting services for their command and control machines and also a malware called TROJ_WIMMIE. This malware exploited Rich Text Format Stack Buffer Overflow Vulnerability (CVE-2010-3333) and also Adobe Reader and Flash Player vulnerabilities.

Don’t forget that Chinese Government has always done an oppressive policy against the nation, in April of 2008 protests erupted hard in some cities in Tibet that have been repressed by the government in Beijing with the use of force.  During last years have been detected in numerous cases of violations of human dignity in Tibet by the Chinese government. According to the Dalai Lama in Tibet, we are assisting to cultural genocide.

Trend Micro, the famous security firm, has released a research paper that demonstrates the relationship between attacks against the computers of Tibetan activists and companies in Japan and India and the activities performed by a group of Chinese hackers.

The operations are known as part of the “Luckycat” cyber campaign began around June 2011, more over 90 attacks against targets in India, Japan and Tibetan activists.

Last week on the New York Times has been published an article that announced that the responsible of the attacks has been identified, he is a Chinese former graduate student who seem to work for Tencent, China’s leading Internet portal company.

The hacker is named Gu Kaiyuan, once a graduate student at a Chinese university he receives government financial support for its computer security program and currently an employee at Chinese portal Tencent. Kaiyuan was involved in recruiting students for his school’s computer security and defense research.

Trend Micro researchers have also found that the group attacked also military research institutes and aerospace, energy, engineering, and shipping companies.

The Trend Micro researchers, led by Nart Villeneuve, traced the hacks to an e-mail address used to register one of the command and control servers the malware accessed. That e-mail address was then found to map to a Chinese instant messaging account belonging to a Chinese hacker, ““dang0102.”

A reconstruction made by Trend Micro’s experts revealed that in 2005 the hacker was already operating as a recruiter:

“The same hacker also published a post on a student BBS of the Sichuan University using the nickname, “scuhkr,” in 2005,” the report stated. “He wanted to recruit 2-4 students to a network attack and defense research project at the Information Security Institute of the Sichuan University then. Scuhkr also authored articles related to backdoors and shellcode in a hacking magazine that same year.”

Of course this the involvement of Gu Kaiyuan doesn’t prove the campaigns are officially sponsored by the Chinese government but the target choosen let the expert believe that behind the hacker there is the Bejing government. The former diplomat James A. Lewis, actual director at the Center for Strategic and International Studies in Washington, declared on the events:

But “(t)he fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,”the Times quotes. “A private Chinese hacker may go after economic data but not a political organization.” .

Personally, I’m sure of the involvement of the Chinese Government for the nature of the targets attacked and the way in which the attacks were carried out. The involvement of young hackers is part of a aggressive cyber strategy carried out by China, which has long invested in youth resources involving them in cyber espionage and hacking activities.

To conclude the event in question I remark that this is just the tip of the iceberg, similar activities are conducted daily by cyber militia in China and very often due the nature of attacks are involved young professionals in the IT sector … probably we have to learn by this approach.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cyber espionage, luckycat)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment