Analysis: Cyber Attack on China-based Foreign Correspondents

I just received the below analysis on the infected email attack on China-based foreign correspondents, via an email (whose sender I do not know).

Their credibility: I do not know the person who sent it, their organization or their expertise, level of credibility, etc. One of the organizations cited, Malware Lab, appears to have been founded this weekend. They do include their email addresses if anyone wants to follow up with them.

Their findings: The attack used a weakness in the Adobe PDF format to send computers back to a compromised computers at Taiwan universities. There is no conclusive evidence to show that the attack was orchestrated by the Chinese government, but one of the few groups that would have ready access to the personal email addresses of news assistants in China is the government. (While the names of news assistants would almost never appear in print, their names must be registered with the government.)

Targeted Malware Attack on Foreign Correspondent’s based in China

By Nart Villeneuve (nart dot villeneuve at utoronto.ca) and Greg Walton
(g.walton at secdev dot ca) | Sept. 26, 2009.

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.2 These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.3

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4

Key Findings:

* The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.

* The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.

* The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.

* The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students,
employees, and faculty at the National Central University.

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.5

(more…)

Popularity: 1% [?]

Beijing Camel Traffic Jam

This Camel Traffic Jam in Beijing in the 1920s is just one of the many great photographs by Sidney D. Gamble recently put online by the Duke University Archive of Documentary Arts.

Without the Internet, many of us probably would never have seen Gamble’s great work.

Details on the man:

From 1908 to 1932, Sidney Gamble (1890-1968) visited China four times, traveling throughout the country to collect data for social-economic surveys and to photograph urban and rural life, public events, architecture, religious statuary, and the countryside. A sociologist, renowned China scholar, and avid amateur photographer, Gamble used some of the pictures to illustrate his monographs. The Sidney D. Gamble Photographs digital collection marks the first comprehensive public presentation of this large body of work that includes photographs of Korea, Japan, Hawaii, San Francisco, and Russia. The site currently features photographs dated between 1917 and 1932; the 1908 photographs will be digitized and uploaded as part of future additions to the site.

My posting of this image – in the interests of teaching about old Beijing and research about China’s history – hopefully does not breach the complex phrasing of copyright on the images.

Hat tip to James Fallows

Popularity: 4% [?]

Sophie Richardson: Olympics Coverage Guide for Journalists

Sophie Richardson, Asia advocacy director of Human Rights Watch, interviewed by Hugo Restall, Editor of The Far Eastern Economic Review about the Chinese government’s attitude towards media.

Richardson recently published a new report, “China’s Forbidden Zones: Shutting the Media Out of Tibet and Other ‘Sensitive’ Stories.”

Popularity: 4% [?]

Beijing vs TV Networks: Olympic Media Showdown

Let the games begin!

With the August 8 opening of the Olympic games only weeks away, confidential meeting minutes reveal ongoing battles between TV networks and Beijing Olympic organizers.

In the meeting, which took place a week or so ago, points of contention included new limits on live coverage and allegations that shipments of TV equipment have been held up in Chinese ports

“I think what I have heard here are just a number of conditions or requirements that are just not workable,” said IOC official Gilbert Felli, according to minutes of the May 29 meeting obtained by reporter Stephen Wade of the Associated Press. “There are a number of things that are just not feasible.”

Some TV executives were upset that the government looks like it will not permit live coverage from Tiananmen Square and the Forbidden City. This is a change from two months ago when IOC officials in Beijing said China had agreed to allow such live coverage.

“The Chinese are very concerned about something going wrong — and so they are in Olympic gridlock,” said John Barton, director of sport for the Asia-Pacific Broadcasting Union, which represents broadcasters in 57 countries. “They are suffocating the television coverage in the crazy pursuit of security. They can’t secure the event. Nothing can be totally secure, yet they are trying to do that.”

The tone of the meeting’s minutes is a stark contrast to public statements from the IOC.

Popularity: 5% [?]