The Chinese-language website of Tibet’s exiled leader, the Dalai Lama, has been compromised in a “precisely targeted” watering-hole attack, a Kaspersky Labs researcher reported.
Senior security researcher Kurt Baumgartner described the attack in his blog.
“A snippet of code on the Central Tibetan Administration website redirects Chinese-speaking visitors to a Java exploit that drops an APT-related backdoor,” he said. “The selection of placement for the malicious code is fairly extraordinary.”
Baumgartner said the attack was “precisely targeted, as an appended, embedded iframe redirects ‘xizang-zhiye(dot)org’ visitors to a Java exploit that maintains a backdoor payload. The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version.” He cautioned users not to visit the affected site “at this time.”
“It seems that the few systems attacked with this code are located in China and the US, although there could be more,” Baumgartner said. “This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups.”
The Dalai Lama, 78, fled China to India in 1959 after an abortive uprising against Chinese rule. Beijing considers him to be a violent separatist, and Chinese state media routinely vilify him. The Dalai Lama, who is based in India, says he is merely seeking greater autonomy for his Himalayan homeland.
Reuters quoted Will Gragido, a researcher with the RSA security division of EMC who is an expert on water holing, as saying the attack on the Tibetan site had the look of an advanced persistent threat, or APT.
In some cases APTs are launched through tainted e-mails. In others this is done through “water holes,” a name derived from a hunting method used by predators in which they stake out specific locations, rather than roaming in the wild to look for prey.d
“The CTA is a site most people are not going to traverse,” Gragido told Reuters. “They are less likely to see my grandmother traversing that site than they are somebody with a vested interest in seeing what’s going on in Tibet.”
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us