Government of India, Military Research Organisations and Indian Shipping Companies Cyber attacker traced in China
A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups. The attacks were connected to an online alias, according to a report released by Trend Micro, a computer security firm with headquarters in Tokyo.
The attacks were connected to an online alias according to Trend Micro Researchers. The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.
“At least 30 computer systems of Tibetan advocacy groups have been attacked so far. The espionage has been going on for at least 10 months and is continuing. This was not the only attack that was started and is stopped, it is a continuous effort by the Cyber criminals to attack Government websites and Defence authorities in India,” said Baburaj Varma, Head – Technical Services (India & SAARC) Trend Micro.
The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign. “The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A Lewis, a former diplomat and expert in computer security.
Trend Micro Researchers traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name and from there to an online alias. The person used the alias, “scuhkr”. The New York Times traced that alias to Gu. According to online records, Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a thesis on computer attacks and prevention strategies. The Times connected Gu to Tencent first through an online university forum, which listed where students found jobs and then through a call to Tencent.
The attacks are technically similar to a spy operation known as the Shadow Network, which since 2009 has targeted the government of India and also pilfered a year’s worth of the Dalai Lama’s personal e-mails. Trend Micro’s researchers found that the command-and-control servers directing the Shadow Network attacks also directed the espionage in its report. The Shadow Network attacks were believed to be the work of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, another university in Chengdu that also receives government financing for computer network defense research. The People’s Liberation Army has an online reconnaissance bureau in the city.
Some security researchers suggest that the Chinese government may use people not affiliated with the government in hacking operations — what security professionals call a campaign. Trend Micro’s researchers said they were first tipped off to the campaign three months ago when they received two malware samples from two separate computer attacks — one in Japan and another in Tibet and found that they were both being directed from the same command-and-control servers. Over the next several months, they traced more than 90 different malware attacks back to those servers. Each attack began, as is often the case, with an e-mail intended to lure victims into opening an attachment. Indian victims were sent an e-mail about India’s ballistic missile defense program. Tibetan advocates received e-mails about self-immolation or in one case, a job opening at the Tibet Fund, a nonprofit based in New York City. After Japan’s earthquake and nuclear disaster, victims in Japan received an e-mail about radiation measurements.
Each e-mail contained an attachment which when clicked, automatically created a backdoor from the victim’s computer to the attackers’ servers. To do this, the hackers exploited security holes in Microsoft Office and Adobe software. Almost immediately, they uploaded a directory of the victims’ machines to their servers. If the files looked enticing, hackers installed a remote-access tool, which gave them real-time control of their target’s machine. As long as a victim’s computer was connected to the Internet, attackers had the ability to record their keystrokes and passwords, grab screenshots and even crawl from that machine to other computers in the victim’s network.
Trend Micro’s researchers would not identify the names of the victims in the attacks detailed in its report, but said that they had alerted the victims, and that many were working to remediate their systems. A spokesman for India’s Defense Ministry, Sitanshu Kar, said he was not aware of the report or of the attacks it described.
