A group representing the Uyghurs,a persecuted religious minority in China, faces unrelenting, targeted cyber attacks that appear aimed at stealing sensitive data and otherwise undermining the group’s activity, according to a new study by researchers at Northeastern University in Boston as well as the Max Planck Institute for Software Systems and the National University of Singapore.
A study of more than 1,400 suspicious email messages sent to members of groups representing the Uyghur minority found that more than three quarters of the messages contained malicious attachments. The messages targeted 724 individuals at 108 separate organizations. Moreover, researchers found overlap between the individuals associated with the Uyghur World Contress (UWC) and western targets such as the New York Times and U.S. embassies.
The study, “A Look at Targeted Attacks Through the Lense of an NGO” is being presented at the UNENIX Security Conference in San Diego on August 21. (A copy of the full paper is available here.)
The study found that the individuals behind the attacks relied heavily on malicious e-mail attachments to gain a foothold on computers used by the intended victims and victim organizations. Time was taken to craft e-mail messages that appeared to come from trusted sources, and to make the content of those email messages typical. Attack email messages frequently used malicious Microsoft Office or Adobe PDF attachments to plant malware on the target system.
However, the researchers found that the groups behind the attacks did not rely on – or need – previously unknown (or “zero day” ) software vulnerabilities to carry out attack. Typically known (but recent) software holes were enough to compromise victim systems. Some of the malware used was similar or identical to malicious programs used in attacks identified by the firm FireEye and Citizenlab, the report says.
The NGO community is depicted in the report as besieged: with a wide net of volunteers and officials within the Uyghur community targeted, and some individuals targeted repeatedly by attacks. NGO groups are depicted as having few defenses against the attacks: anti virus software was largely ineffective at stopping malicious programs used in the attacks.
“No single tool detected all of the attacks, and some attacks evaded detection from all of the antivirus scanners,” wrote Engin Kirda, a researcher at Northeastern University in a blog post. That, despite the fact that the attacks in the malicious documents were “quite similar” to those used in other recent targeted attacks. Even months after the malware was used against the WUC, “standard anti-virus (AV) detection software was insufficient in detecting these targeted attacks,” Kirda wrote.