A look at advanced targeted attacks through the lens of a human-rights NGO, World Uyghur Congress

In my capacity as an academic researcher at Northeastern University, I collaborated with computer scientists Stevens Le Blond, Adina Uritesc and Cedric Gilbert at the Max Planck Institute for Software Systems as well as Zheng Leong Chua and Prateek Saxena at the National University of Singapore to study cyber-attacks against the human-rights Non-Governmental Organization (NGO) representing the Uyghur ethnic minority group living in China and in exile: World Uyghur Congress (WUC).

Our findings illuminate a series of apparently targeted, sophisticated cyber-attacks deployed against WUC and affiliated organizations and individuals — with a combination of social engineering and exploits through email (similar to spear phishing) — over a period of four years.

Two volunteers at WUC provided more than 1,000 suspicious emails sent to more than 700 different email addresses from 2009-2013, including WUC leaders as well as:

• Journalists (including at AFP, CNN International, Los Angeles Times, New York Times and Reporters Without Borders)
• Politicians (including in the Socialist Party of the Netherlands and the Chinese Democratic Party)
• Academics (including at Penn State University, Howard University, Syracuse University, George
• Washington University and the Xinjiang Arts Institute China)
• Employees of other NGOs (including Amnesty International and Save Tibet – International Campaign for Tibet).

We analyzed those emails including any embedded URLs, attachments or files to determine if and how often they contained social engineering techniques, attack vectors, exploits and malware.

We found that the language and subject matter of malicious emails were intricately tailored to appear familiar, normal or friendly, with the sender impersonating someone else to lure the recipient into opening an attachment or URL: all hallmarks of social engineering.

The majority of the messages sent to WUC and others were in the Uyghur language, and about a quarter were in English. Emails were sent from compromised accounts inside the WUC organization or from email addresses that were a character or two off from the known email address to trick the eyes of the recipients.

The majority of these first-stage malware attacks were executed through attached documents (rather than. zip or .exe files) using recent but disclosed vulnerabilities that tend to evade common defenses. Interestingly, in November 2010 there was a marked shift from Adobe to MS Office documents coinciding with the addition of sandboxing technology to Adobe Reader and the public disclosure of a stack buffer overflow MS Office vulnerability.

Also, the malicious documents sent to WUC contained several different families or classifications of malware. More than 25% of this malware can be linked to entities that have been reported to engage in targeted attacks against political and industrial organizations, and Tibetan NGOs.

We tested existing AV software for effectiveness in detecting the attacks in the WUC emails shared with us. No single tool detected all of the attacks, and some attacks evaded detection from all of the antivirus scanners. Yet we found the attacks in the malicious documents to be quite similar to those used in other recent targeted attacks, rather than attacks using zero-day vulnerabilities.

Keep in mind, we were scanning these samples months or years after they had been deployed against WUC. Even so, standard anti-virus detection software was insufficient in detecting these targeted attacks despite their similarity to known threats because it relies on static signatures rather than malicious behavior profiling.

Lastline Labs also recently reported on the inadequacy of traditional AV scanners in detecting advanced malware, using different samples not specifically targeted against an NGO like those sent to WUC.

This chart shows AV scanners’ 2014 detection rates of malware sent to WUC from 2009-2013.

Our complete findings from A Look at Targeted Attacks Through the Lens of an NGO will be presented at the USENIX Security Conference on August 21, and the full paper is available here.