The Dalai Lama has been hacked. Well, at least his Chinese-language website has. According to Kaspersky Lab experts, a snippet of code on the Central Tibetan Administration website redirects Chinese-speaking visitors to a Java exploit that drops an advanced persistent threat-related backdoor.
In a blog post, Kaspersky's Kurt Baumgartner explained that the attack itself is precisely targeted. An appended, embedded iframe redirects the Chinese-speaking visitors to a Java exploit that maintains a backdoor payload.
"The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version," he said. "At this point in time, it seems that the few systems attacked with this code are located in China and the U.S., although there could be more . . . Backdoors detected with the Swisyn verdict are frequently a part of APT-related toolchains, and this one most certainly is."
Watering Hole Attacks
Baumgartner said the Java exploit appears to attack the older CVE-2012-4681 vulnerability, which he called "a bit of a surprise." An actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class in August 2012 used it.
"The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case," he said.
"Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect," he added.
Baumgartner also noted that this threat actor has been quietly operating these sorts of watering hole attacks for at least a couple years along with the standard spearphishing campaigns against a variety of targets that include Tibetan groups.
Is it the Government?
Several researchers declined to comment on the issue. We asked Rob Enderle, principal analyst at The Enderle Group, for his sense about what is going on. He told us this appears to be another example of governments using hackers to find out what their citizens are doing and attempting to eliminate dissention before it can emerge.
"Since the Dalai Lama is somebody the Chinese government isn't particularly fond of and since they would probably like to know who's visiting that site -- given the target -- you'd assume this is a Chinese government attack," Enderle said.
"You would think criminals that wanted to exploit individuals would probably target a site where rich people go," he added. "If you are a criminal organization would you really spend your time targeting the Dalai Lama's site?"