Google and McAfee have traced widespread malware attacks back to a dispute over a mining operation in Vietnam backed by China. Infected machines have been used to spy on their owners as well as launch distributed denial-of-service attacks against the mining operation's critics.
Google and McAfee have uncovered evidence that a campaign
of politically motivated cyber-attacks is targeting critics of a
Chinese-backed mining operation in Vietnam.
In
a blog post, Neel Mehta of Google's security team noted the cyber-assault
on Vietnamese activists is separate from the Aurora incident
the company reported in January, and potentially involves tens of thousands of
users who "downloaded Vietnamese keyboard language software and possibly other
legitimate software."
"These infected machines have been used both to spy on their owners as well
as participate in distributed denial of service (DDoS) attacks against blogs
containing messages of political dissent," he wrote. "Specifically, these
attacks have tried to squelch opposition to bauxite mining efforts in Vietnam,
an important and emotionally charged issue in the country."
Bauxite is one of Vietnam's
most valuable natural resources, and the mining plans-backed by the Vietnamese
government and state-run Chinese aluminum firm Chinalco-have become a source of
political controversy.
Mehta did not directly accuse China
of participating in the attacks. However, the company has been in a
tense
war-of-the-words with the country's government for months, and just a week
ago closed the Chinese version of its search engine.
According to security researchers at McAfee, attackers used
malware disguised as the
keyboard driver VPSKeys, which is used to insert accents at the appropriate
locations when using Windows. Once infected, the machines join a botnet
with about a dozen command and control servers located around the globe but
accessed predominantly from IP addresses inside Vietnam,
McAfee reported.
"We suspect the effort to create the botnet started in late 2009, coinciding
by chance with the Operation Aurora attacks,"
blogged
McAfee CTO George Kurtz. "While McAfee Labs identified the malware during
our investigation into Operation Aurora, we believe the attacks are not
related.
"We believe the attackers first compromised
www.vps.org,
the Web site of the Vietnamese Professionals Society (VPS),
and replaced the legitimate keyboard driver with a Trojan horse," he
continued. "The attackers then sent an e-mail to targeted individuals
which pointed them back to the VPS Web site,
where they downloaded the Trojan instead."
At the same time, news that foreign journalists working in China
have once again had their e-mails hacked has raised eyebrows even further.
Earlier
this year, the Foreign Correspondents' Club of China (FCCC) issued a
warning to its members stating that journalists working in China
had had their e-mails hacked. This time, the group has
reportedly
said eight members had their e-mail accounts hacked in recent weeks
and that several were suspended by Yahoo March 25. Also, as of
roughly 11:55 a.m. Eastern time
today, the
FCCC Website
is down.
"We believe that malware is a general threat to the Internet, but it
is especially harmful when it is used to suppress opinions of dissent," Mehta
wrote.
Email
Print
