Our friends over at the Citizen Lab, forever digging through lines of code to uncover and understand malware attacks at home and abroad, have published a new report looking at vulnerabilities among civil society organizations to malware attacks.
According to their research, many civil society organizations (NGOs, charities, etc.) are often seriously compromised, virus-ridden and used as vehicles to deliver online attacks.
Citizen Lab's investigation looked at incidents involving sites like 64Tiangwang.com, a site that reports on people who have disappeared in China; an email that appeared to come from the head of the Office of Tibet in Geneva, Switzerland, that linked to a Reporters Without Borders petition; and even a malicious link left in the comment section of a BoingBoing post about the Uighur crisis.
Many of the attacks exploited security loopholes in software that allowed the attackers to implant malware or set up "phishing" attacks, tricking people into entering sensitive information like passwords into seemingly legit login prompts for email sites.
You might assume that because these attacks seem to be specifically targeting these causes, they are likely perpetrated by their opponents (in the case of any of the instances looked at in the Citizen Lab report, it would be natural to suspect the Chinese government). But that might not be the case.
It makes sense that these kinds of activist sites are targeted for cyber attacks. As the saying (that I keep saying, and hat-tipping Ethan Zuckerman for) goes, you can tell an internet service is useful if there is lots of pornography, pictures of cute cats and activists on it. Even as netiquette slowly reaches the point where people can resist the urge to mass email any joke they've been forwarded, petitions and noble causes appeal to our better moral instincts to the point that they sometimes override our common sense about how the online world works. Activists of every degree are everywhere online. I imagine at some point everybody who spends much time online gets involved in a cause.
The fake email from the Office of Tibet in Geneva actually did link to a real Facebook petition. But evil was lurking in the code that led from the email to the petition. And so people were unaware they were spreading a link that can also impair security, steal private information or turn their computer into a zombie.
These civil society groups are being targeted, but it may not be because of their beliefs. Instead, it could be because they are relatively easy marks that spread links widely and sometimes without much scrutiny. Although the authors of the Citizen Lab report admit they are unsure who was behind the attacks, they recognize this possibility.
"One could argue that the attacks are somewhat coincidental. The civil society organizations may just be running vulnerable software that was (automatically) exploited and used just like any other random target as a vehicle to propagate malware through the insertion of a malicious iframe. That is, there is no intent to target civil society specifically. Similarly, using a human rights themed email in a social engineering attack might just be a convenient way to get peoples’ attention; it is not about targeting civil society per se, just that human rights is an appealing topic and people might more easily enticed to click on such a link."
Still, the authors say the quality of the fake email in the Tibet case might imply that the culprit is specifically targeting Tibetan activists.
"The text of the emails contain less spelling and grammatical errors and exploit legitimate email and petition campaigns. The level of specificity and intentionality exceeds the threshold for a group of attackers that simply wants to infect as many hosts as possible. On the contrary, these attacks actually may limit the total number of hosts but provide the attackers with politically sensitive hosts."
Still, even if attacks target "politically sensitive hosts," that doesn't mean they are done for political reasons. An activist organization is, well, active and organized. They have a team of people dedicated to spreading content and a network of people who are receptive to clicking on and forwarding the links that organization distributes. Harnessing high-yield users like this is much more efficient than blasting rafts of infected links randomly into the web. Perhaps the increased quality of the fake emails, which is a trend the Citizen Lab has been seeing more of, is simply a higher bar these attackers need to clear to take advantage of a more valuable and efficient victim. It makes sense to try this whether attackers are opposed to these activists' causes or not.
For a broader look at the world of online activism, check out our recent show The Limits of Digital Activism.
I suspect, Mikle, that many of these attacks are lauched out of spite, a form of anti-social behaviour. Who better to attack than those social groups whose aim is to improve the world for the better?
posted by BorisTheYounger on 29 October 2009 at 11:21 AM
I'm sure there are many cases where groups are attacked out of spite and by their primary opponents. But research into specific attacks shows this is often not the case.
In once incident, a series of opposition websites in an authoritarian country were defaced. Research into the attacks (tracing computers to see who was attacking, when, how) showed pretty conclusively that it wasn't the government, it was a bunch of bored kids screwing around on their computers behind them.
Knowing stuff like this makes it easier for the civil society groups to protect themselves, because they know why and how they're being attacked.
Like I said in the post, there are many reasons to attack these sites (because they are effective at spreading malware) that aren't personal.
To your point, I'd be really interested to know the root motivation. Is it spite, profit, or what. We're learning more about these kinds of attacks every day.
I'd suggest reading Nart Villeneuve's blog if you're interested in other examples (it's in my blog roll). He's one of the researchers who worked on this report.
posted by Mike Miner
on 29 October 2009 at 12:52 PM
The bored kids scenario ties in perfectly with the kind of anti-social behaviour I am thinking about, Mike. There is nothing personal about it. I am thinking along the lines of vandalism, destruction of property, almost for its own sake, because it gives the perpetrator amusement and pleasure. I am not suggesting that this explains all the attacks, but some of them, perhaps a significant proportion. By attacking the social activist sites, one is killing two birds with one stone - on the one hand, vandalizing not just any site at all, but precisely the sites of those who are attempting to do good for the world, stymying their efforts, while at the same time guaranteeing that the damage will be spread to the greatest possible number. Within the framework of Freudian psych-sexual development, many of these individuals may be suffering from a kind of anal fixation which brings on an "expulsive-anal personality" characterized by messy, wasteful or destructive behaviour. Their parents may have taken too lenient an approach to toilet training. If indeed the causes are rooted to some extent within the human psyche, I do not know where this leaves us in terms of prevention. In any event, I will have a look at the Villeneuve site. This is a fascinating question.
posted by BorisTheYounger on 29 October 2009 at 1:55 PM
A glance at his blog does suggest that there ARE a variety of motivations involved. Some of it is no doubt for profit, some is done out of boredom as with the kids in the authoritarian country, and some is personal - an attempt to undermine the efforts of activists by certain governmental or nongovernmental agencies, perhaps tied to authoritarian regimes like the Chinese and the Russians, for example. Maybe it is the CIA? It may be a part of some grand strategy to develop the capacity to undermine and cripple the world-wide-web very rapidly and on a massive scale, in the event of some global conflict.
posted by BorisTheYounger on 29 October 2009 at 2:31 PM
You also might be interested in Evgeny Morozov's blog Net Effect (also in my blog roll). If you're on Twitter, so is he: @evgenymorozov.
But check out this piece by Richard Clarke about cyber security. I think you'll be interested. Personally, I think he might be focusing too much on a worst-case scenario. I don't quite buy the picture of the future of warfare he's selling.
http://www.nationalinterest.org/Article.aspx?id=22340
posted by Mike Miner
on 29 October 2009 at 3:11 PM
He appears to be a right-wing hawk who would like nothing better to frighten everyone into going along with huge expenditures on cyber-defense. I do suspect that many of the cyber-attacks that are taking place are also being initiated by US sources - CIA, Cyber Command, and so on. Are we really to believe that they are only interested in defense? Give me a break, Richard.
posted by BorisTheYounger on 29 October 2009 at 5:14 PM
http://en.wikipedia.org/wiki/Richard_A._Clarke#Early_warnings_about_Al-Qaeda_threat
http://en.wikipedia.org/wiki/Against_All_Enemies
Just because you said "appears to be". In case you aren't familiar with him, he is the guy who went public with an inside look at the White House response to 9/11.
posted by Mike Miner
on 30 October 2009 at 1:53 PM
Interesting...Irate because Bush demoted him or did not listen to him? Just trying to promote his book?
posted by BorisTheYounger on 30 October 2009 at 2:27 PM
Another, very cynical, possibility is that companies that sell computer security products make the attacks, so as to ensure continued sales.
posted by John Humphrey, nerd on 01 November 2009 at 8:06 PM
*You must have a FREE TVO account in order to comment on posts
Don't have an account?
*You must have a FREE TVO account in order to comment on posts
Producer Mike Miner blogs about the Internet, media and culture. Follow Mike on Twitter.
The Agenda with Steve Paikin Allan Gregg in Conversation Big Ideas
Think Again
How appropriate
I just had to delete a comment, probably posted by a spambot, that was designed to look legit (although completely off topic) ending with a link to payday loans that would surely do your hard drive no good if you clicked it.
Remain vigilant, internet.
posted by Mike Miner
on 29 October 2009 at 10:45 AM