New York, 31 Mar 2012: Indian military research bodies and Tibetan activists have been targeted by hackers based in China, with a former graduate student at a Chinese university emerging as a key figure responsible for the cyber breach, according to a report by a computer security firm.
In its 24 page report, Tokyo-based Trend Micro said the hacking campaign, dubbed ’Luckycat’ targeted Indian military research institutions, entities in Japan as well as the Tibetan community.
The campaign, active since around June 2011, has been linked to 90 attacks against targets in Japan and India as well as Tibetan activists. In all, the Luckycat campaign managed to compromise 233 computers in systematic attacks.
Victims of the attack also include Indian shipping companies, Japan’s aerospace, energy and engineering companies and at least 30 computer systems of Tibetan advocacy groups.
Trend Micro said each malware attack involves a unique campaign code that can be used to track which victims were compromised by which malware attack.
"This illustrates that the attackers are both very aggressive and continually target their intended victims. These are not smash-and-grab attacks but constitute a "campaign" comprising a series of ongoing attacks over time,’ it said in its report.
Trend Micro tracked elements of the cyber attack campaign to hackers based in China.
The Luckycat campaign attacked a diverse set of targets using a variety of malware, some of which have been linked to other cyber-espionage campaigns.
The attackers behind this campaign maintain a diverse set of command-and-control infrastructure and leverages anonymity tools to obfuscate their operations, the report said.
It cited the example of a hacking attack on India’s ballistic missile defence programme.
In this, a malicious document containing information on the programme was used to lure potential victims into opening it.
This document contained malicious code that exploited a vulnerability in computer software enabling the hackers to penetrate the compromised computer. Similarly, Tibetan advocates received e-mails about self-immolation while victims in Japan received emails asking them to open attachments that had information about the country’s earthquake and nuclear disaster.
A different campaign known as the ’ShadowNet’, too has a history of targeting Tibetan activists as well as the Indian government.
The Luckycat attacks are technically similar to those of the Shadow Network, a spy operation which since 2009 has targeted the government of India and the Dalai Lama’s personal e-mails.
The Shadow Network attacks are believed to be the handiwork of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, which also receives government financing for computer network defence research.
The People’s Liberation Army has an online reconnaissance bureau in the city.
"Cyber-espionage campaigns often focus on specific industries or communities of interest in addition to a geographic focus.
Different positions of visibility often yield additional sets of targets pursued by the same threat actors," Trend Micro said.
The New York Times said the attacks were connected to an online alias, the owner of which is Gu Kaiyuan, a former graduate student at China’s Sichuan University, which receives government financing for its research in computer network defence.
Gu is believed to work at Tencent, China’s leading Internet portal company and he may have recruited students to work on the university’s research involving computer attacks and defence.
According to online records, Gu wrote numerous articles about hacking under the names of "scuhkr" and Gu Kaiyuan.
When contacted by the Times about the attacks, Gu said, "I have nothing to say."
The attacks are not linked directly to Chinese government-employed hackers but security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.
"The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement," expert in computer security James Lewis said in the New York Times report.
"A private Chinese hacker may go after economic data but not a political organisation."
The Times report said security researchers believe that the Chinese government may use people not affiliated with the government in hacking operations.