Microsoft Office to Blame for Entry in Pro-Tibet Group Hacks

Posted by Joshua S. Hill

April 14, 2008

There have been rumors and slices of information trundling around the internet for the past few months suggesting that China has been covertly attacking computers in the US. The Pentagon has revealed that its servers have been hacked numerous times, and defense contractors are likewise blaming China for hacks in to their systems.

Furthermore, in the wake of the Tibet riots, pro-Tibet groups have suffered similar hacks, with information disappearing and websites being taken down.

In research conducted by Mikko Hyppönen, the chief research officer for software security vendor F-Secure, and colleague Patrik Runald, it appears that the doorway was left open for these groups by Microsoft Office applications.

Starting back in 2006, attacks that appear to have originated in China have begun flooding pro-Tibetan groups, U.S. defense contractors and government agencies. They come in the form of emails, often disguised as people looking for work. Their attached resume’s are booby trapped that, when open, crashes the computer but at the same time uploads a keylogger – which records every key you hit – and data-stealing software that acquires all data accessible from that person’s access.

This type of espionage is highly successful, and according to Hyppönen, one multi-billion-dollar defense contractor who came to F-Secure for help found that they had been sending information to a sever in mainland China for 18 months, from one lonely Windows box.

“Most attacks go unnoticed and targets don’t know they are hit,” Hyppönen said. Though he won’t guarantee that the attacks are coming from China, Hyppönen is undecided. “Is it the Chinese?” Hyppönen asked. “It sure looks like it but it could be a smokescreen. We don’t know.”

For so long computer protection has focused around keeping people safe from those simply trying to make a quick buck. Stealing movies to pirate before the release date; stealing people’s bank accounts and trade information; identity theft; these were the focus for much of the industry.

“We now have to deal with the criminal doing it for money, and the spies doing it for information,” Hyppönen said.

The pair also focused their research on Microsoft, and its record release of patches towards the end of 2006. Hyppönen is the first person to link the acknowledged intrusions with Microsoft’s increase in patch releases.

From 2005 through early 2006, Microsoft released very few patches for its suite of office applications. But Runald notes that after that there was a dramatic increase in the amount of patches for “critical bugs” that were released, including a record 26 patches in October of 06, that fixed four critical bugs in Microsoft Office apps.

Those fixes, Runald says, appeared contemporaneously with the rise of targeted attacks on defense companies, nonprofits and government agencies. “They now have an incentive to begin looking for bugs and exploiting them,” Runald said. “Bad guys are finding these things fast.”

Indications in the form that the attacks are taking of late suggest that they are all made by the same group of hackers. “The files have the same hash,” Hyppönen said. It almost a given it is the same attacker.” In other words, a similarity in the code being used to infiltrate the computers suggests that the same hackers are attacking these varied groups; US government agencies, pro-Tibetan groups, etc.

In the end, Runald says the message is clear. “The enemy is changing,” he said. “Now we are also fighting spies.”

Bookmark to: