Our findings illuminate a series of apparently targeted, sophisticated cyber-attacks deployed against WUC and affiliated organizations and individuals -- with a combination of social engineering and exploits through email (similar to spear phishing) -- over a period of four years.
Two volunteers at WUC provided more than 1,000 suspicious emails sent to more than 700 different email addresses from 2009-2013, including WUC leaders as well as:
- Journalists (including at AFP, CNN International, Los Angeles Times, New York Times and Reporters Without Borders)
- Politicians (including in the Socialist Party of the Netherlands and the Chinese Democratic Party)
- Academics (including at Penn State University, Howard University, Syracuse University, George
- Washington University and the Xinjiang Arts Institute China)
- Employees of other NGOs (including Amnesty International and Save Tibet - International Campaign for Tibet).
We found that the language and subject matter of malicious emails were intricately tailored to appear familiar, normal or friendly, with the sender impersonating someone else to lure the recipient into opening an attachment or URL: all hallmarks of social engineering.
The majority of the messages sent to WUC and others were in the Uyghur language, and about a quarter were in English. Emails were sent from compromised accounts inside the WUC organization or from email addresses that were a character or two off from the known email address to trick the eyes of the recipients.
The majority of these first-stage malware attacks were executed through attached documents (rather than. zip or .exe files) using recent but disclosed vulnerabilities that tend to evade common defenses. Interestingly, in November 2010 there was a marked shift from Adobe to MS Office documents coinciding with the addition of sandboxing technology to Adobe Reader and the public disclosure of a stack buffer overflow MS Office vulnerability.
Also, the malicious documents sent to WUC contained several different families or classifications of malware. More than 25% of this malware can be linked to entities that have been reported to engage in targeted attacks against political and industrial organizations, and Tibetan NGOs.
We tested existing AV software for effectiveness in detecting the attacks in the WUC emails shared with us. No single tool detected all of the attacks, and some attacks evaded detection from all of the antivirus scanners. Yet we found the attacks in the malicious documents to be quite similar to those used in other recent targeted attacks, rather than attacks using zero-day vulnerabilities.
Keep in mind, we were scanning these samples months or years after they had been deployed against WUC. Even so, standard anti-virus detection software was insufficient in detecting these targeted attacks despite their similarity to known threats because it relies on static signatures rather than malicious behavior profiling.