Connect with us

Hi, what are you looking for?



Attackers Leverage Twitter to Target Tibetan Activists With Malware

Attackers appear to be adding social networking sites to their repertoire of attacks targeting Tibetan activists.

Attackers appear to be adding social networking sites to their repertoire of attacks targeting Tibetan activists.

An attacker posted three messages containing links to sites hosting malware on Twitter and addressed them to three specific Twitter accounts associated with Chinese political activists and affiliates, Wes Hurd, a cyber-threat analyst with Cyber Squared, posted on the company blog this week. The rogue Twitter account was registered Feb. 27 and the messages sent that day, Hurd said.

The attacks contained links to two sites, a Chinese-language forum and a Tibet-related WordPress blog, which had been compromised to host exploits targeting Adobe Flash Player, Hurd said. The exploits targeted CVE-2013-0634, which has been previously observed in targeted attacks against aerospace companies. Adobe patched the flaw in an emergency update Feb. 8 and said the attacks were limited to Firefox or Safari users on Mac OS X.

“Security teams often overlook, or fail to consider, how online profiles within social networking sites can be leveraged as an initial attack vector,” Hurd wrote.

Cyber Squared notified Twitter Security of the malicious account and “associated targeted attacks.” As of today, however, the account appears to still be active, although it has not posted again since those three initial messages.

The targeted Twitter accounts were associated with an individual affiliated with a Tibetan independence movement and two Chinese-language accounts associated with political activism, Hurd said.

“All of the tweet recipients share characteristics that would be of interest for Chinese government sponsored cyber espionage actors, and are related to entities that are known targets of Chinese APT,” Hurd wrote.

Advertisement. Scroll to continue reading.

The link sent to the two Chinese-language accounts contained links to a Chinese-language forum hosting the Flash SWF exploit, Hurd said. The text associated with the links reference current president of China Xi Jinping and former Politburo member Bo Xilai.

The link sent to the individual account directed users to a WordPress blog containing a list of all the self-immolation protests in the name of Tibetan independence and hosting a Flash SWF exploit. Cyber Squared stumbled across a second exploit on this WordPress blog which appeared to be targeting Uyghur supporters, another ethnic group protesting the Chinese government, Hurd said.

SecurityWeek took a look at the targeted accounts and while the individual had re-posted Twitter messages from the Dalai Lama, the other posts weren’t politically-oriented at all. The account also didn’t have any activity since January. One of the Chinese-language accounts, posting related news items, have not posted anything new since Feb. 24. The other, associated with a blog “Global China Network,” continues to be prolific.

The exploits dropped two executables on infected systems, one of which was a remote access Trojan communicating with a command-and-control server to install additional malicious plugins and steal data, Hurd said.

The Twitter-based attack joins the several different campaigns targeting Tibetan and other political activists in the past year. Citizen Lab recently discovered Android malware targeting Tibetans and reporting their physical locations to the attackers. Kaspersky Lab has also uncovered several Mac OS X malware attacks targeting Uyghur and Tibetan individuals.

Organizations need to consider that “a focused threat actor” can sneak targeted attacks into an enterprise using social networking sites, Hurd added.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.