Activist Groups Under Cyber Attack

(page 2 of 2)

China Denies Involvement

Executives working for Students for a Free Tibet allege the attackers masquerading as Conall Watson are in China. According to a report from a cyber-security specialist who examined the e-mail, the malicious code in the fake résumé phones home to a server identified as scfzf.xicp.net. That server is located at an Internet address assigned to the Jiangsu Province area served by one of China's largest state-owned Internet service providers.

The server could be based in China—or located anywhere in the world, say computer security experts. That's because Chinese PCs with Internet service from China-based ISPs could, themselves, be infected with malicious code. Then hackers in other countries could bounce attacks through the compromised China-based computers. BusinessWeek could not independently confirm the location of server scfzf.xicp.net.

China denies any involvement in or support for hacker attacks on any groups. In an e-mail response to questions from BusinessWeek, Wang Baodong, a spokesman at the Chinese Embassy in Washington, D.C., says: "The Chinese Government always opposes and forbids any cyber crimes including 'hacking' that undermine the security of computer networks." China, he says, does not hire civilian hackers to collect information or intelligence.

Bad "Seeds Sowed"

The analysis by security experts of the malicious code in the fake résumé—named Revzin.doc—sent to SFT UK, shows that it exploits holes in older versions of Microsoft Word. Once inside a PC, the malware first contacts a server at the Web address www.windowsupdata.net. That Chinese-language Web site adds new code to the infection, the analysis says. As of mid-March, only 4 of 32 commercially available antivirus products detected the malicious code when tested by security experts.

The attempted spear-phish intrusion—and other attacks since February—are sparking angst among Students for a Free Tibet activists. They come at a time when tensions are near an all-time high with the Chinese government because of its recent suppression of violent protests in Lhasa, the Tibetan capital, and almost daily disruption of the Olympic torch relay as it travels the world on its way to Beijing, ahead of the Olympic Games that China hosts beginning in August.

"The saddest thing from all of this is seeing all the seeds [Chinese hackers] sowed some time ago. It is a moment of life or death," says Tethong, 32, the group's executive director. "It's just sick; they're just sick."

Compromise Darfur

Other critics of China or its policies have come under attack by mysterious cyber-intruders, too. In late March, analysts from cyber-security firm Total Intelligence Solutions were called in to root out a breach of the computer network at the Save Darfur Coalition, a Washington (D.C.) advocacy group for the war-torn southern region of the African nation Sudan. Save Darfur has been a leading critic of the Chinese government's policies regarding Sudan. The activist group agreed to allow Total Intelligence Solutions to discuss the details of that intrusion with BusinessWeek.

According to Total Intel's Devost, who used to work for the Pentagon testing its computer security, hackers had accessed the Save Darfur computer system via a spear-phishing attack. "Potentially everything on the network was stolen," says Devost. Once inside, the hackers harvested e-mail addresses to send out additional spear-phishing attacks to other organizations. The malicious code embedded inside contacted a computer registered through a domain name service in the U.S. Total Intel analysts contacted the unidentified company, which agreed to shut down the master PC.

"Then, it was like my team crossed the line, and the A-team of hackers stepped in," says Total Intel's Devost. The next day, he says, more aggressive spear-phishing attacks were launched from the Save Darfur network, this time exploiting a vulnerability in PCs that had only been released days before. The hackers didn't try to cover their tracks using a U.S.-registered domain name. The malicious code, Devost says, phoned home straight to "a verified Internet address in China." The FBI, which is investigating the attack, received a detailed briefing from Total Intel analysts on Mar. 27, says Devost.

End In Sight?

Meanwhile, SFT's cyber woes do not appear to have ended. SFT's Tethong says the group was notified by cyber-security consultants around Mar. 26 that someone using an Internet address in the Chinese enclave of Macau had hacked into SFT's main e-mail server, possibly downloading everything inside. Tethong says the group does not know how the intrusion occurred, though she has been advised that her e-mail may have been intercepted and intruders may have monitored SFT's network for unencrypted messages.

"There is just so much happening that we can't keep track of it," says Tethong.

Grow is a correspondent in BusinessWeek's Atlanta bureau .