Chinese Hackers Launch Zero-Day Malware At Spiritual Activists, Military Groups

twoheadedboy writes "A Chinese hacker group is the chief suspect of spear phishing attacks against the Falun Dafa spiritual group and military organizations in the Philippines. Data handed to TechWeek by AlienVault Labs showed how zero-day malware, designed to pilfer Outlook email account logins, was just one strand of the attacks, which are ongoing. Other malware sought to steal passwords for other accounts, dodging many commercial AV products, whilst remote access tools indicate this is a serious surveillance operation. Chinese authorities have neither confirmed nor denied the claims. But it marks another case of Internet-led surveillance with China's name attached to it, following numerous reports of mass Chinese hacking, which has already allegedly hit massive firms like Facebook and Google."

How are the Chinese doing this?

[cold+fjord]

How are the Chinese doing this? Snowden hasn't said a word about Chinese espionage programs that I recall.

Re:How are the Chinese doing this?

[Fluffeh]

Snowden wasn't employed in a position where he had access to the Chinese espionage program. He was employed where he had access to the US programs. Maybe one day there will be a Chinese version of Snowden that will shine light on all the mischeif that the Chinese get up to...

Re:How are the Chinese doing this?

[Dr+Max]

Probably because he hasn't worked for them (but plenty of people are more than happy to tell you it's widespread and unstoppable apart from giving the NSA another trillion dollars). Also i think i would prefer the Chinese having all my data than the US, because china is a lot less likely to use it against me (not hand it over to the mpaa to sue me or something). Of course if i was a billion dollar defence contractor working on top secret weapon designs for the US, or a Chinese citizen, i might have a different view point.

Re:How are the Chinese doing this?

[viperidaenz]

No, China won't hand your information over to MPAA. They'll just imprison you indefinitely for speaking against the government.

Re:How are the Chinese doing this?

[Dr+Max]

How exactly are they going to do that? Even if they managed to invade my country, finding me in that war zone wont be all that easy. But what the hell, lets find out what happens. CHINA GOVERNMENT EATS BABIES. How long do you think it's going to take to arrest me?

Re:How are the Chinese doing this?

[viperidaenz]

As soon as you go through customs if you ever decide to go to China, Taiwan or Hong Kong for a holiday?

Re:How are the Chinese doing this?

As soon as you go through customs if you ever decide to go to China, Taiwan or Hong Kong for a holiday?

I like how you listed all three of those as separate countries but then assumed they all shared a common legal system.

Re:How are the Chinese doing this?

[cold+fjord]

I agree there will indeed be light shining on the day there is a Chinese Snowden. A Chinese Snowden might even have an easier time getting people to see his light since he will be able to make it more visible by reflecting it off the ice accumulated from hell freezing over. I'm not sure a Russian Snowden would have that advantage.

Re:How are the Chinese doing this?

Think before you comment. Snowden has never worked in Chinese espionage programs so how the fuck do you expect him to know more than you about them? Snowden is just a man, not some kind of seer who sees all that happens on Earth. And I don't think the Chinese need illegal espionage, even their great firewall is legal.

As for how they do this, China has 1.5 billion citizens, some of whom will get into hacking, and some of those will fuck up and be discovered. My guess is they have few punishments for hacking (unlike other countries where you're better off being caught killing someone than hacking their twitter account) so their hackers are sloppy and don't care about hiding their tracks.

Re:How are the Chinese doing this?

[Dr+Max]

Yeah because there are all those reports from western peoples families, that their loved ones were abducting by the Chinese government while they were on a holiday in china. On the other hand there have been many stories of people being stopped entry to America because of something they wrote on the internet (no abductions that i know about at the airport, but i wouldn't like to be snowden or assange walking around over there) and if America finds you in a country they don't like (and are alot bigger than) they can throw you in guantanamo bay.

Re:How are the Chinese doing this?

[AHuxley]

Re: How are the Chinese doing this?
The same way the US tracks protesters/anti war groups or faith based charities are examined, Russia tracks the press/CIA/MI6 funded NGOs or dissidents.
You find the 'easy' local groups, raid them and see what their admins are doing. Build up picture of their networks and then legend your sock puppets/long term infiltrators for the international supporters.
Sock puppets get people taking, long term infiltrators build trust with the admins and become helpful leaders in the online communities.
Later when the network is mapped out, leadership and top posters named more direct option are open to the gov.
Philippines and Vietnam both has historical issues with China and the quality of their computer networks would be expanding for trade, military upgrades and tourism.
Trade and tourism would usually be some front end based on Microsoft as hinted with the mention of "Microsoft Word vulnerabilities were exploited, the payload decrypted and then executed"
MS (made in the USA) is the way in for the NSA, China and any other group it seems.

Re:How are the Chinese doing this?

[sFurbo]

A Russian Snowden would not help that much, as any illumination he did would be with alpha particles which aren't very penetrating.

Re:How are the Chinese doing this?

[SuricouRaven]

A Chinese snowden would be lucky to make it out of the country, and would likely be dead in an 'accident' a week after the first leak.

Re:How are the Chinese doing this?

Go Team America World Police!

Asshole

Re:How are the Chinese doing this?

Actually, it would take forever to arrest him. I openly discussed the Falun Gong with a Brit in a Beijing restaurant where the wait staff listen in on your conversations.

If you have white skin and round eyes, the Chicoms don't give 2 shits what you say in English.

Re:How are the Chinese doing this?

[cold+fjord]

And that is how asymmetric advantage accrues to the genuinely oppressive regimes. Cripple intelligence agencies in free societies, do nothing about the actual oppressive regimes. What could possibly go wrong?

Black hole them?

[CaptainDefragged]

Unless your business has a legitimate need to accept traffic from China or Russia, wouldn't it be possible, perhaps prudent even, to block any traffic to and from those countries?

Re:Black hole them?

Well done, you are about to break the internet.

Never go full retard...

Re:Black hole them?

[aliquis]

Yeah. Try to block all the spying organisations by blocking traffic from the countries they operate from ..

At least you'll get local speed to all of your accessible part of the Internet!

Re:Black hole them?

someone (end users, perhaps businesses, institutions even) blocking russia, china, nigeria (etc) traffic from their own network does nothing to "break the internet" (who's the 'retard' for thinking it would?).. i wouldnt even mind if an ISP or mail provider blocked all unsolicited inbound traffic (port scans, pings, worm transmissions, etc) from those countries by default (manual opt-in to have that traffic routed to you) and scored mail originating from those countries as highly probable to be spam or worse.

we have absolutely no business with china, russia, nigeria (or the rest of africa for that matter).. a blanket blackhole or blacklist of those IPs makes sense, and IS IN USE HERE... and does stop a hell of a lot of illegitimate traffic.. both coming into our local network AND to our public-facing servers... hack attempts at ftp/ssh servers/services and web apps, malware infested email, phishing emails, and contact form/comment spam, all dropped to virtually zero when those blocks went into place.

Re:Black hole them?

[anubi]

There are snoops and malicious activity everywhere on the net. Seems a lot of governments as well as shysters are doing it. This does not seem centered on one group of people as I can see. We are snooping. They are snooping. Businesses are snooping. Many people are hoarding other's personal data, but trying every way they can to protect theirs - our own government is snooping like heck, but let their beans get spilled and they come all unglued.

Information I volunteer on a business form becomes public for the business "associates", but a song aired is still considered private property and having others store an unauthorized copy being deemed illegal. If my storing a copy of information copyrighted by someone else is illegal, why isn't it illegal for them to store a copy of my doings? I claim copyright over my life, but who is going to enforce my claims?

As things go global, I guess a lot of you know that there are Chinese counterparts to Ebay and Amazon. Its AliExpress, Alibaba, Baidu, Taobao. I use AliExpress a lot to get things that are hard to find in the USA - or when I do find them, they are often marked way up. AliExpress is geared for international sales, where the others I listed are internal Chinese sites and it would help a lot if you can read Mandarin.

So far I have not noted unusual activity coming from the shopping sites, however I did note some software behaving suspiciously as I was researching shipping sites and was visiting a lot of unknown Chinese sites in search of how the shipping systems worked. The legit sites were not doing it, but in my ignorance, I was hitting a lot of decoy sites.

No-Script saved my ass a lot of times. The legit sites worked without requiring me to "drop my shields". I only wish American business sites would do likewise, as I often do not know who is legit and who is trying to pull a fast one until I have done business with them a few times. When the first thing a business site does is demand I "drop my shields", thereby becoming vulnerable to a malware attack, I become suspicious, I guess for the same reason if I entered a bank wearing a ski mask, I would expect the bank personnel to suspect I may have an ulterior motive for my presentation.

Re:Black hole them?

[CaptainDefragged]

Yes, thank you AC, that is what I had in mind. I don't see how managing your own security risks breaks the Internet either. If your home or business doesn't need to access risky countries, then firewall them off. Nothing retarded about that; sounds like common sense to me.

Re:Black hole them?

[Yomers]

It will keep those hackers away, sure :) You really dont know about vpn, socks, ssh tunnel, server with remote access? Or you are just a voice from under the bridge?

Having looked at the C&C IP addresses, domain names used by the attackers, shellcode inside the exploits and various pieces of metadata, AlienVault has surmised the attackers are operating out of China.

AlienVaults make the same mistake - like Chinese servers and domains are available only to Chinese, lol. Couple of years ago .cn domains was almost free, so 90 percent of spam domains were .cn. Chinese servers frequently used as 'bullet-proof' as Chinese datacenter staff tends not to react on foreign abuse complaints. IP's and domains have no relation whatsoever to attackers nationality.

Re:Black hole them?

[CaptainDefragged]

Hang on whilst I grab my flame retardant coat. I guess I should have been more specific and said "Chinese or Russian domains and IP blocks".

Re:Black hole them?

[SuricouRaven]

I'm sure that's delay any Chinese hackers, state-sponsored or otherwise, for a few minutes. They are as capable as anyone of using a previously-compromised host as a proxy. State-sponsored hackers may even use this as a false-flag approach: Hack a bunch of computers in Russia or Iran, and use those to attack American targets. For that matter, some of the many attacks seemingly coming from China may well be the work of Russia. It's very easy to frame someone else.

Mandiant Report

[colsandurz45]

This seems consistent with the Mandiant report, at least the Spear Phishing attacks and maybe the tools?

Re:Mandiant Report

so this is consistent FUD.

Context is everything

In China: Use metadata to find suspects, attempt to install a trojan to find additional information.
In US: Use metadata to find suspects, request a secret warrant from a secret court (with a history of granting 100% of warrant requests) to find additional information.

following numerous reports of mass Chinese hacking, which has already allegedly hit massive firms like Facebook and Google.

Following a report that US surveillance consists of massive firms like Facebook and Google.

Posting anonymously, because I often fly internationally, am already easily profiled, and do not want to increase my risk of showing up on a secret TSA hassle list.

Re:Context is everything

[Khashishi]

Just how anonymous is Slashdot's anonymous, really?

Re:Forgot what Snowden said?

[black3d]

>and you guys are even worse; you hack and monitor even your staunch allies.

And you don't? Sorry, that's not really a question. We know you do.

You spout a lot about hypocrisy, but it appears you misunderstand the word, or perhaps the context. It would be hypocritical to say "Chinese Hackers Launch Zero-Day.. AND THAT'S A BAD THING WE'D NEVER DO", and then go ahead and do exactly the same. It's not in the slightest way hypocritical to say "Chinese Hackers Launch Zero Day" if they did. It's just reporting news. Just as the Chinese government media report anything bad they can possibly find to say about the west. Simply reporting news is NOT, in any way, hypocritical. It would only be hypocritical if it was to be reported, and then claimed that we don't do the same.
 
The irony here is, that by saying "you guys are even worse; you hack and monitor even your staunch allies" when you do exactly the same, you're the only person being hypocritical. You're saying the US is "worse" because it "monitors its allies", yet China does exactly the same. Cue, hypocrisy.

Re:Forgot what Snowden said?

[cold+fjord]

From what I hear North Korea feels the "love" from China. So do most of the countries around China.

Meh

Say what you will about Chinese government & private sector computer crime, at least they're not reading my email and logging all my net traffic.

Re:Meh

[minstrelmike]

Say what you will about Chinese government & private sector computer crime, at least they're not reading my email and logging all my net traffic.

How do you know that? Maybe they've hacked into the USA's NSA and stolen all our data already;-)

Targets Alone Prove that it was the Chinese

[CodeBuster]

The targets alone prove that this was the work of the Chinese because there's no money to be made in attacking either of these groups. The criminals are in it for the money and they wouldn't waste zero days on military groups in the Philippines or some offshoot of the Falun group of religious people. Furthermore, everybody knows that the Chinese government employs hackers, it's now documented public information, so there's no obvious political value in staging a false flag operation to make it look like it was the Chinese because that cat's already out of the bag. The only government on the entire planet that would perceive any value in attacking either of these groups is the Chinese government.

Re:Targets Alone Prove that it was the Chinese

Data a criminal group might obtain on the Falun Gong is saleable to the Chinese government, false flag operations do have value in distracting from the current Snowden case for instance, or gaining credibility for the FG. Or it could just be a private enthusiast acting without sanction. It doesn't *have* to be the Chinese, though it does seem likely.

Re:Forgot what Snowden said?

[compucomp2]

This article, its posting here on Slashdot, and the entirely predictable "Down with TEH EVIL RED CHINA" comment responses are exactly the same as if Fox News posted an overblown, partisan, and hypocritical article about something Obama may or may not have done wrong. The agenda at every step is to cheerlead for the USA with no regards to objectivity and blow up out of proportion something bad China supposedly did, even though the USA has done the same things. I thought Snowden's revelations would get rid of this kind of tripe, nope, within a month it's back.

You want your team to win, and just like in a sports match your team can't commit a foul and everything the other team does is a foul. I get it. It seems some things never change.

Re:Forgot what Snowden said?

[black3d]

I'm not American - hell, I'm actually banned from the country (a technical issue with visas). I'm not interested in anyone "winning". I'm simply pointing out, since you seem to have missed it again, that reporting news isn't "hypocrisy". It's only hypocritical if the media, while reporting the news, actually made statements to the effect that it would never happen in the West. That isn't happening. You're seeing hypocrisy where there is none. Call it partisan. Call it overblown. But you can't call it hypocritical.

A mass of massive hacking

At a previous gig I was tasked with setting up a network with VPN endpoints in Shanghai, Noida, SF, and NYC. Within months I was consulting with my buddies that started their own security company because my doorknob was rattling off the hook mainly in the Shanghai region. The data being protected was a AAA game engine under heavy development, which I can say never got leaked unlike the one from our sister studio in the UK. The mass of massive hacking coming my way did seem to be chinese govt related (in this case rightfully so) because I can only describe it as a gigantor sized botnet with permanent PMS that seemed to disappear when you began investigating it. It was explained to me they have developed their own protocols which do not translate well to a western approximation of things. Constant attempts to poison DNS on our domain controller from seemingly 3g mobile network addresses in the region and a heavy use of whale-sized infiltration techniques were constant headaches. I could not just change the platform or OS too many 3rd party tools. I got no help from admins on their end when I asked why all this **** was on their network segment and why their BYOD policy was allowing it. My only saving grace was a machine put together from spare parts dedicated to taking the brunt of Shanghai attack attempts which had absolutely nothing on it but was set up to look like the machine that was the goal of all the attacks on the network. After a month or so it would mysteriously get knocked off the network whenever it was put up even after an OS reinstall when VPN was up. Luckily, it gave us enough time to get spinlocking RSA dongles in the mail which were all the rage back then. Found out later all this work was to protect some shady employment practices that became very public after I had left the company. The point of this very long tale which will most likely get buried is get both sides of the story. Justice is blind, even on the net, wherever these people are you have to ask yourself when it comes to a person's life or wellbeing these things may actually be necessary and it is not always to stem the tide of dissent. You can read the news but this is an actual in the trenches account- hope it helps and hope more people will share these experiences.

Re:Daffa?

[Dexter+Herbivore]

Hey China, there's this place called Westboro Baptist Church, I heard that they said nasty things about your government. (crosses fingers and waits).

Deal with the problem then

Instead of the normal crap you see on here deal with the dang problem if China is a problem then disconnect them from the internet you yanks say you own the dang thing do something instead of just wetting your panties ..

China and the Philippines

[cold+fjord]

It makes perfect sense that Chinese groups are attacking the military of the Philippines since China is paving the way for aggression. China is trying to claim sovereignty over islands claimed by many of its neighbors. The age old quest by China to establish its hegemony continues.

Philippines Protests Renewed Chinese Pressure in South China Sea
China And The Biggest Territory Grab Since World War II
The Philippines and Japan want U.S. help in dealing with China’s aggression
Philippines upgrades military to end China "bullying" in S. China Sea
Japan Will Sell Ships To Philippines To Fight China’s “Bullying”

Re:China and the Philippines

It also makes sense that the US is framing China for hacking attacks and trying to stir up age old tensions in China's backyard with it's neighbours.. I mean, the Phillipines and Japan are independent/impartial when it comes to China/US right and in no way would they be under US influence would they?

The age old quest(ok maybe not that old) by the US to keep it's hegemony continues, and the age old quest by the US to frame others and continue to do what it accusers others of doing continues.

China may have motive in hacking Phillipines military, but if so, what kind of intelligence are they expecting to get, or if not for intel, then what was the purpose in the hack?

Other countries also have motive in hacking the phillipines, and even more motive in making it look like China was the one behind it. Everyone knows China is a convenient scapegoat/target. China/Russia etc are the perfect countries/cover for hackers to attack the west from(if the target hasn't blocked all connections from .cn/.ru to begin with..)

Re:China and the Philippines

China has claimed those islands long before the Philippines claimed them. Chinese claims to those islands date from the Yuan dynasty (14th century) and have been basically been reaffirmed by every government between then. The nine dashed line dates from Chiang Kai Shek.

Re:China and the Philippines

In China the anti-foreigner propaganda is against the Japanese - at least it was in 2005 when I was there. It is genuine and not being framed by the US.

The Chinese use Japanese WW2 atrocities as an excuse. The real reason is the oil in the South China Sea. Now there is a similar oil dispute between China and the Philippines.

Lets ask the sane question

[ruir]

Why foreign organisations are using: 1) a closed-source OS developed by a foreign power 2) software with all these security flaws 3) a software defective by design

Spiritual Activists?

Unless they're moving against Christians, most of the western world doesn't care.
China has a thriving trade in sex slaves, protected by official corruption - bigger fish to fry.

Zero-day malware?

[asylumx]

How can malware be zero-day? If it's exploiting some security weakness, then it's a virus and not malware. If it's malware, then it's probably gotten itself installed (even if through nefarious means) via some social engineering technique. I suspect this is a stretched use of "zero-day" in order to make the headline & article more exciting.

Re:Zero-day malware?

[gman003]

You've got your definitions wrong.

"Malware" is a superset of viruses, worms, trojans, and pretty much any software that inflicts harm. It can spread either through the network, over physical media, through social engineering, or any combination of the three.

Re:Zero-day malware?

But god forbid you actually read past the headline. /doesn't read the article either

Re:Zero-day malware?

[camperdave]

It exploits security flaws that have been there since day zero, perhaps?

Nuke

the CHICOMS! filthy yellow hordes!

chinese enemies

nukes will fry every chinese computer and all these wankers will be out of a job

deniability means that most of them will be shot by their own government one of these days

Falun Gong is a cult

It's a stretch to claim that Falun Gong is a "spiritual practice." They're a cult on the same order as Reverend Moon's "Unification Church" or Lyndon Larouche's Larouche Youth Movement.

They have a TV station: http://en.wikipedia.org/wiki/New_Tang_Dynasty_Television a newspaper http://en.wikipedia.org/wiki/The_Epoch_Times a radio station: http://en.wikipedia.org/wiki/Sound_of_Hope and a performing dance troupe: http://en.wikipedia.org/wiki/Shen_Yun_Performing_Arts

Their leader, Li Hongzhi, claims to "not accorded special treatment, nor does he accept money or donations from students of Falun Dafa" http://www.stanford.edu/group/falun/eng/faq.htm but if you go to the Shen Yun website http://www.shenyunperformingarts.org/, you'll see on the front page prominently features an essay by Li Hongzhi in which he goes onto define "What is Classical Chinese Dance?" Like any cult leader, to his followers he is an expert in all things, man made or otherwise.

But don't take my word for it; do your own research. Take a look at Li Hongzhi's official biography, where he claims to have by age eight, acquired "the superb great law with supernatural powers." Or look into his statements about whether to seek normal medical treatment or to rely on his teachings. Or just go ask some practitioners how their "spiritual practice" funds itself and is able to support so many media outlets and lobbying efforts.

Re:Falun Gong is a cult

[minstrelmike]

The 'evidence' isn't (although I agree FG is a cult, your evidence is just garbage).
IF I accepted it as evidence, then Billy Graham would not be a real preacher because he had his own TV shows and asked for donations.
That would mean the Pope isn't actually in charge of a 'real' church because they have their own Catholic bank.

Opinion, even when I agree with it, isn't the same as evidence or fact.

Re:Falun Gong is a cult

[Khashishi]

Whether they are a cult doesn't make it ok for the Chinese government to persecute them.

Re:Daffa?

[OakDragon]

I'm not even sure they have computers. AFAIK, God may Hate Computers.

Re:Daffa?

[minstrelmike]

I'll bet they have computers. Westboro isn't actually a church.
They are more like patent trolls, but they troll city governments that try to quash the protests and then sue them.
It's a family business, not a church, just like a patent troll is a business but not a company that makes or sells items (unless ou consider a protection racket an item).

btw, I think the only government Westboro has complained about is the US one.

Re:Daffa?

[interkin3tic]

Having been to their website once (morbid curiosity), I'd say they had computers in the mid-nineties, set up the website, and then got rid of them all. I recall a lot of GIFs and blinking text.

Ha ha, I'm making fun of their lack of web design skills. Also they're terrible fucking hypocrites who will burn in hell. That's funny too.

Re:Daffa?

they have a website, FYI