Activist Groups Under Cyber Attack

Other organizations might learn from recent cyber-spying events—via bogus e-mail, or spear-phishing—at Students for a Free Tibet and Save Darfur

by Brian Grow

Nepalese police arrest a Tibetan protester during an anti-China demonstration in Kathmandu Prakash Mathema/AFP/Getty Images

Editor's note: This is the second article in a series on cyber espionage.

When Conall Watson resigned from the board of directors at activist group Students for a Free Tibet UK in June, 2007, someone—not a friend—was watching on the Web. The 25-year-old British pharmacist, who worked for the free-Tibet movement in his spare time, had sent a mass farewell e-mail mentioning his departure and a change in his e-mail address. "I'm stepping down from the SFT UK organizing group," part of the message, reviewed by BusinessWeek, reads.

Nine months later, Conall Watson's name—and parts of that same 2007 sayonara e-mail—returned to haunt the activist organization in the form of a stealthy cyber-attack the group believes was launched from China. On Feb. 19, Students for a Free Tibet Executive Director Lhadon Tethong and other board members found a new message in their in-boxes. The note, addressed from Conall Watson, mentioned that he planned to pass along the résumé of a potential new activist.

"Dear Alex, Ben and all other SFT friends," the message, also reviewed by BusinessWeek reads. "What a pity I can do little for the Tibetan cause, while I know you are all still fighting bravely for it. Yesterday a Tibetan friend came to my office and asked me to recommend his nephew Rinzen Yeshe to join the SFT UK.… I will email his [résumé] very soon. Best wishes, Conall. p.s. He is a Tibetan friend of mine who I trust, so I trust his nephew."

An hour later, the résumé arrived. But suspicious SFT UK members called Watson to ask if he had sent the message. He had not. An alert was sent out, say SFT officials, and nobody opened the résumé. How did the unknown attackers learn so much about Conall Watson? "Either the message was intercepted, or it might have been an inside job," says Watson. SFT UK members have received harassing phone calls in the past, he says. "But the Internet was new."

A Sweep of Spear-Phishing

Students for a Free Tibet is just one of thousands of alleged victims of a growing wave of cyber-spying (BusinessWeek, 4/10/08).

From the U.S. government and defense contractors to big banks and high-profile activist groups, millions of similarly sophisticated e-mails loaded with malicious code are being zapped through the Internet, to penetrate PCs, steal secrets, and report back to their electronic masters. Known as 'spear-phish,' the targeted e-mails are the Web's biggest new cyber-threat.

The digital cunning that goes into spear-phishing attacks is highlighted by the mysterious missive sent in Conall Watson's name. Besides posing as Watson to send the note, the attackers built sympathy by alleging Watson felt bad for resigning ("I missed many great and important actions for the freedom of Tibet in the past few months," the e-mail reads.) And it also built trust by noting that the soon-to-be-sent résumé came from a "Tibetan friend."

"It's part of the psychological game" to persuade recipients of the malicious e-mail to open an attachment or click on a link, enabling malicious code to bypass firewalls and antivirus software, says Matthew Devost, president of Total Intelligence Solutions, a cyber-security firm. These e-mails are "the equivalent of precision-guided missiles in cyberspace," says Paul Kurtz, a former National Security Council official. "Instead of blowing something up, they're sucking data out."