Key Tibetan website compromised

Researchers from Kaspersky Labs on Monday reported that the Central Tibetan Administration (CTA) website was compromised, noting that the attackers were highly selective about their victims.

Kaspersky's Kurt Baumgartner, wrote on the company blog that the attack is precisely targeted, as an appended, embedded iframe on the domain redirects visitors to the Chinese version of the website to a Java exploit that delivers a backdoor to the system.

"At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more," he wrote.

According to Baumgartner, the Java exploit being delivered archives, drops and executes the backdoor. Further examination of the code delivered during the attack shows signs of APT related toolchains, suggesting that the CTA compromise wasn't a passive attack, but rather a deliberate one. When the selective targeting is taken into account, this point is solidified.

"The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0-day Gondzz.class and Gondvv.class in August of last year," Baumgartner noted.

"This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard Spearphishing campaigns against a variety of targets that include Tibetan groups."

According to Kaspersky's records, the actor behind the attack on the CTA website has been active since late 2011.

In April, another Tibetan organization, the Tibetan Homes Foundation, had their website compromised in an attack that targeted Tibetan activists. According to Kaspersky researchers, that attack leveraged malicious Flash files that were signed by certificates stolen in an earlier campaign targeting gaming companies in Southeast Asia.

In February, Tibetan activists were targeted via Twitter with messages urging Free Tibet movement leaders to follow malicious links. Those links led to websites hosting exploits that were previously used in attacks against aerospace firms and payroll processing company.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags advanced persistent threatCentral Tibetan AdministrationCTA websiteapplicationsAPT attacksoftwaredata protectionkaspersky labkaspersky labsCentral Tibetan Administration hack

More about APTKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts