by April 2, 2012 0 comments

A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university – putting a face on the persistent espionage by Chinese hackers against foreign companies and groups. The attacks were connected to an online alias according to Trend Micro Researchers. The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense. Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign. “The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

“The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan said Baburaj Varma | Head – Technical Services (India & SAARC) Trend Micro.He further added “at least 30 computer systems of Tibetan advocacy groups have been attacked so far. The espionage has been going on for at least 10 months and is continuing”. “This was not the only attack that was started and is stopped, it is a continuous effort by the Cyber criminals to attack Government websites and Defence authorities in India”.

Trend Micro Researchers traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number – China’s equivalent of an online instant messaging screen name – and from there to an online alias. The person who used the alias, “scuhkr” – the researchers said that it could be shorthand for Sichuan University hacker – wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005.

The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent. Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.” Tencent, which is a privately managed and stock market-listed Internet company, did not respond to several later inquiries seeking comment.

The attacks are technically similar to a spy operation known as the Shadow Network, which since 2009 has targeted the government of India and also pilfered a year’s worth of the Dalai Lama’s personal e-mails. Trend Micro’s researchers found that the command-and-control servers directing the Shadow Network attacks also directed the espionage in its report. The Shadow Network attacks were believed to be the work of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, another university in Chengdu that also receives government financing for computer network defense research. The People’s Liberation Army has an online reconnaissance bureau in the city. Some security researchers suggest that the Chinese government may use people not affiliated with the government in hacking operations – what security professionals call a campaign.

For example, earlier this year, Joe Stewart, a security expert at Dell SecureWorks, traced a campaign against the Vietnam government and oil exploration companies to an e-mail address that belonged to an Internet marketer in China. “It suggested there may be a marketplace for freelance work – that this is not a 9-to-5 work environment,” Mr. Stewart said. “It’s a smart way to do business. If you are a country attacking a foreign government and you don’t want it tied back, it would make sense to outsource the work to actors who can collect the data for you.”

Trend Micro’s researchers said they were first tipped off to the campaign three months ago when they received two malware samples from two separate computer attacks – one in Japan and another in Tibet – and found that they were both being directed from the same command-and-control servers. Over the next several months, they traced more than 90 different malware attacks back to those servers. Each attack began, as is often the case, with an e-mail intended to lure victims into opening an attachment. Indian victims were sent an e-mail about India’s ballistic missile defense program. Tibetan advocates received e-mails about self-immolation or, in one case, a job opening at the Tibet Fund, a nonprofit based in New York City. After Japan’s earthquake and nuclear disaster, victims in Japan received an e-mail about radiation measurements.

Each e-mail contained an attachment that, when clicked, automatically created a backdoor from the victim’s computer to the attackers’ servers. To do this, the hackers exploited security holes in Microsoft Office and Adobe software. Almost immediately, they uploaded a directory of the victims’ machines to their servers. If the files looked enticing, hackers installed a remote-access tool, or rat, which gave them real-time control of their target’s machine. As long as a victim’s computer was connected to the Internet, attackers had the ability to record their keystrokes and passwords, grab screenshots and even crawl from that machine to other computers in the victim’s network.

Trend Micro’s researchers would not identify the names of the victims in the attacks detailed in its report, but said that they had alerted the victims, and that many were working to remediate their systems. A spokesman for India’s Defense Ministry, Sitanshu Kar, said he was not aware of the report or of the attacks it described.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.