Citizen Lab’s researchers have recently discovered an unusual campaign whose aim is to infiltrate news sites in the Chinese language. The biggest surprise came after the discovery of phishing campaign that was targeting journalist at China Digital Times, which is US-based.
Attacks on these news organizations have become a common part of many attacks that were traced to operators based in China. This includes intrusion attempts on The New York Times, as well as credentials theft that happened in The Washington Post. In both cases, the perpetrator was a hacker from China.
For now, it would appear that their task is to try and uncover what exactly was uncovered by the foreign reporters that work in China.
After the attempted attack on China Digital Times, which is based in California, Citizen Lab came to investigate.
They uncovered that the suspicious email that came from an apparent source is a phishing attack, where the link from the email was leading to the fake login page. The hackers expected that naive workers would try to log into the fake page and allow them to steal the login credentials.
After the researchers examined the server, they discovered that it was used for hosting several other fake domains. This led to a discovery that these hackers attempted to not only trick CDT, but also many other publications that are reporting about China.
These include Bowen Press, The Epoch Times, and also Mingjing News. Hackers put so much effort into some of these fake domains, that they actually copied the entire website. If the reporters fell for the trick, their credentials would have been stolen. If not, like this time, the ruse was uncovered.
Citizen Lab also reported that the domains are used for three reasons, which are phishing, reconnaissance, and even malware. One of the two discovered servers was used for reconnaissance and phishing, while the second was used for spreading malware around.
The malware in question turned out to be NetWire, which is a RAT (Remote Access Trojan). It was discovered in 2012 when it was used for collecting and storing credit card info. It was cloaked and when it attacked, it pretended to be an Adobe update.
It can do many features, and stealing credentials, as well as logging keystrokes are the most used ones. It can also capture audio and screenshots, and you can even use it for stealthy upload and download.
Since the domain used for fake China Digital Times page was linked to some others campaigns from the past, there are two possibilities. Either the earlier attacks were also a part of this hacking groups, or several groups use these same resources. Either way, some level of sharing is definitely present.
Tricking journalists via phishing emails is often much easier than tricking regular internet users. This is because journalists often receive info via email from unknown sources.