Researchers at Citizen Lab have unearthed a broad campaign aimed at infiltrating Chinese language news sites after discovering a phishing campaign targeting journalists at the US-based China Digital Times.
Digital espionage operations targeting news organizations have become commonplace with numerous attacks traced to China-based operators. In 2013, for example, The New York Times reported persistent intrusion attempts by Chinese hackers over a four-month period targeting staffers’ email accounts. Likewise, The Washington Post reported that hackers gained access to Post employees’ user names and passwords. The hackers appear to have been tasked with uncovering the efforts of reporters covering stories in China.
Citizen Lab was called to examine an intrusion attempt at the California-based China Digital Times after a reporter there received a suspicious email from an apparent source offering “insider information.” The email contained a link to what appeared to be a China Digital Times article, which diverted the reporter to a fake WordPress login screen. Researchers later examined the server used to host the fake login page and discovered several other fake domains registered to the same entity.
In fact, the hackers were attempting to mimic a slew of publications reporting on China, including The Epoch Times, Bowen Press, and Mingjing News. In some cases, the content of an entire site was copied to complete the illusion. Inevitably, reporters presented with links to the fake sites were prompted to supply logins to the content management system; if the ruse worked, the hackers would acquire credentials to the actual news site and, potentially, access to drafts or other materials related to upcoming stories.
“Our analysis shows that the operators are using the fake domains for at least three different purposes: reconnaissance, phishing, and malware,” Citizen Lab reports.
Two servers were found to be associated with the hackers’ efforts. One was used for reconnaissance—to assess what sorts of upcoming stories might be published—as well as to launch phishing attempts, as described above. A second server was dedicated solely to serving malware operations.
Citizen Lab identified malware contained on the second server as NetWire, a remote access trojan (RAT) which has been around since at least 2012 and has been observed previously collecting stored credit card information in point-of-sale breaches. The payload was disguised as an “Adobe update” and contained software designed to obfuscate its source code. Netwire RAT has a wide range of capabilities. It can read usernames and passwords stored by web browsers, log keystrokes, capture screenshots and audio, and even upload and download files without the users’ knowledge.
The domain information tied to the fake version of China Digital Times has also been linked to past campaigns targeting Tibetan Radio Station and the Thai Government, though this does not mean definitively that the attacks were carried out by the same actors. Ostensibly, this could be a case of separate actors using shared resources. “We suspect that at the least there is some level of sharing and reuse of infrastructure by the same operator or group of operators,” the researchers said.
Journalists are particularly vulnerable to the phishing attempts described above because as part of their work reporters regularly receive information from unknown sources, which they may have to vet on the fly. “Ideally, information security should be part of their standard work process, but information security is but one consideration out of many competing priorities,” Citizen Lab wrote.