Several prominent Chinese-language news websites that are blocked in China have been targeted in malware, phishing and reconnaissance attacks, according to a new report from the University of Toronto’s Citizen Lab group.
Citizen Lab learned of the attacks after being contacted by China Digital Times (CDT), a California-based bilingual news website covering China. Someone purporting to be a UC Berkeley student sent an email to a CDT journalist claiming to have “insider information” on cyberattacks launched at Mingjing News after it interviewed a Chinese billionaire who accused high-ranking officials in China’s Communist Party of being corrupt. Other CDT staff received similar emails the following days.
The messages contained a link pointing to a fake CDT website designed to redirect users to a WordPress phishing page. CDT does run on WordPress and the fake login page was well designed, suggesting that the attacker had put considerable effort into the campaign.
The attack on CDT lasted for roughly 20 days, but it did not appear to be successful and the threat group moved on to other targets. An analysis of the server used to host the phishing website and registration data showed that the group had also set up several other domains designed to mimic popular Chinese-language news websites that are blocked in China.
This includes Mingjing News, Epoch Times, HK01 and Bowen Press. The fake domains have apparently been set up for various purposes, including phishing, malware delivery and reconnaissance.
While Citizen Lab identified fake domains designed to mimic the ones of the aforementioned news websites, researchers were unable to confirm that these organizations were directly targeted by the threat group.
The malware involved in the attacks is NetWire, a remote access trojan (RAT) known to be used by several actors. The malware was configured to bypass detection and make analysis more difficult.
The threat group is believed to have targeted Chinese-language news sites since at least 2015. Researchers also discovered links between this campaign and a 2013 operation aimed at a Tibetan radio station, and a 2015 attack targeting Thai government agencies. The digital certificate used to sign the malware is the same as one spotted last year in attacks aimed at the gaming industry.
One possibility is that the same threat group is behind all operations, but a more likely scenario is that different actors have shared some resources.
As far as attribution is concerned, Citizen Lab pointed out that the targeted organizations are of interest to the Chinese government.
“It is noteworthy that all of the fake websites our researchers discovered in this campaign are meant to mimic news websites that publish content critical of the Chinese government. It is possible the operators behind this campaign are ‘hackers for hire’ — typical of the way in which a lot of cyber espionage is outsourced in China,” explained Ronald Deibert, director of Citizen Lab. “However, we are unable to positively attribute this campaign to a specific state agency.”
Related Reading: Operation Cloud Hopper: China-based Hackers Target Managed Service Providers
Related Reading: APT3 Hackers Linked to Chinese Ministry of State Security
Related Reading: China-Linked Hackers Target U.S. Trade Group