Chinese hackers target human rights groups, Citizen Lab says
All 10 groups compromised during 4-year study period
Buffetted by persistent cyberattacks, Tibetan monks are giving new meaning to their ancient creed: Detach from attachments.
"Attachment can lead you to all sort of trouble and we Buddhists believe that non-attachment alone can lead you to happiness," 30-year-old monk Jamyang Palden told The Associated Press at a cafe in the Indian hill town of Dharamsala, before giving the philosophy its Information Age twist: "We have to learn to be suspicious of email attachments."
The internet safety slogan, one of several messages championed by digital security group Tibet Action Institute, is an example of how human rights defenders are seeking creative ways to protect activists from electronic espionage.
"It's cheesy, but it's memorable," said Freya Putt, a Vancouver-based activist.
There's little doubt that groups like Tibet Action need protection. A major study published Tuesday by internet watchdog Citizen Lab shows that it and other civil society organizations have been penetrated by cyberspies, many of them linked to China. And the report says that those behind the compromises are the same hackers responsible for high-profile attacks on major multinationals and Western governments.
"There's no doubt about it. This is something that is, if not carefully orchestrated by the government of China, is certainly tolerated by them and they benefit from it," Citizen Lab director Ron Deibert told Reuters.
"They're using the same weaponry, the same arsenal — indiscriminately," he said to the Associated Press.
Deibert's study draws on four years of research with Tibet Action and nine other cooperating civil society groups. Eight are China or Tibet-focused; two are large international human rights organizations.
More than 800 suspicious emails
Altogether the groups forwarded more than 800 suspicious emails to Citizen Lab, an interdisciplinary laboratory based at the University of Toronto's Munk School of Global Affairs. Experts there scanned the emails for malicious software, checked several organizations' networks for intruders, interviewed campaigners and, in the case of one particularly hard-hit human rights organization, combed through half a dozen hard drives.
All 10 groups were compromised at some point during the study, many of them through emails carrying booby-trapped attachments.
In a 2012 attack email shared with the AP, Tibet Action's director Lhadon Tethong was approached by a hacker impersonating a well-known China scholar, asking whether she would proof-read a list of Tibetans who have set themselves on fire in protest against the government in Beijing.
"Would you please have a look and make necessary corrections?" the email asks.
That attack failed — Tethong sensed a trap when she noticed the email did not come from the scholar's professional address — but others succeeded. Deibert said one rights group had its network compromised by "APT1" — a prolific hacking crew whose activities have been tied to the China's People's Liberation Army — for 20 months.
Asked about hacking claims, the Chinese government told Reuters it had not seen the report and denied knowledge or involvement in any attacks. China is willing to work to "jointly safeguard peace and security, openness and cooperation in cyberspace," a foreign ministry spokeswoman said.
Security holes remain unpatched
Most targets of the attacks studied by Citizen Lab are anonymous, something Deibert says is in part because security holes identified by his colleagues remain unpatched. That means the organizations could be at greater risk if their names got out.
Others may simply fear losing face.
"There's still a stigma in some circles around computer breaches of any sort," Deibert said.
That isn't an issue for Tibet Action, whose work is centered on raising awareness about online threats.
The efforts involve comic strips which portray Tibetans being spied through their webcams or their smartphones by glowering Chinese officers with 1950s-style headsets, and a video skit in which "Attachment" — played by a grinning Tibetan amateur — sneaks into a man's home and steals his wallet.
It may be corny but trainer Lobsang Gyatso Sither says the humor works. Sither shows the film and repeats the 'Detach from Attachments' mantra at digital security classes he teaches in classes in Dharamsala and elsewhere.
Palden, the monk, appears to have gotten the point. He tapes over his Mac's webcam, takes the battery out of his Nokia handset when he doesn't want to be tracked and avoids popular Chinese chat program QQ. And he has absorbed the main message: "I do not open attachments from sources I do not trust," he said.
Deibert says the plight of people like Palden is often lost amid a cybersecurity debate which focuses on attacks against Fortune 500 companies and high-powered defense contractors.
"Ironically we are spotlighting the organizations that are the most equipped, that have the most resources and capacity to throw at the problem while leaving aside the organizations that could use the most help," Deibert said.
He said one solution might be for human rights organizations — and their funders — to follow Tibetan Action's example in opening up about the threats they face.
"I'm not a Buddhist," Deibert said, "but groups around the world could learn a lot from the Tibetans."
With files from Reuters