Google: Malware Attacks Target Vietnam Dissidents

Google and McAfee have traced widespread malware attacks back to a dispute over a mining operation in Vietnam backed by China. Infected machines have been used to spy on their owners as well as launch distributed denial-of-service attacks against the mining operation's critics.

Google and McAfee have uncovered evidence that a campaign of politically motivated cyber-attacks is targeting critics of a Chinese-backed mining operation in Vietnam.

In a blog post, Neel Mehta of Google's security team noted the cyber-assault on Vietnamese activists is separate from the Aurora incident the company reported in January, and potentially involves tens of thousands of users who "downloaded Vietnamese keyboard language software and possibly other legitimate software."

"These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent," he wrote. "Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country."

Bauxite is one of Vietnam's most valuable natural resources, and the mining plans-backed by the Vietnamese government and state-run Chinese aluminum firm Chinalco-have become a source of political controversy.

Mehta did not directly accuse China of participating in the attacks. However, the company has been in a tense war-of-the-words with the country's government for months, and just a week ago closed the Chinese version of its search engine.

According to security researchers at McAfee, attackers used malware disguised as the keyboard driver VPSKeys, which is used to insert accents at the appropriate locations when using Windows. Once infected, the machines join a botnet with about a dozen command and control servers located around the globe but accessed predominantly from IP addresses inside Vietnam, McAfee reported.

"We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks," blogged McAfee CTO George Kurtz. "While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related.

"We believe the attackers first compromised, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse," he continued. "The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead."

At the same time, news that foreign journalists working in China have once again had their e-mails hacked has raised eyebrows even further. Earlier this year, the Foreign Correspondents' Club of China (FCCC) issued a warning to its members stating that journalists working in China had had their e-mails hacked. This time, the group has reportedly said eight members had their e-mail accounts hacked in recent weeks and that several were suspended by Yahoo March 25. Also, as of roughly 11:55 a.m. Eastern time today, the FCCC Website is down.

"We believe that malware is a general threat to the Internet, but it is especially harmful when it is used to suppress opinions of dissent," Mehta wrote.