Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Who Hacked the Dalai Lama?
Who's Behind the Dalai Lama Website Hack?
Who's Behind the Dalai Lama Website Hack?
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The Dalai Lama has been hacked. Well, at least his Chinese-language website has. According to Kaspersky Lab experts, a snippet of code on the Central Tibetan Administration website redirects Chinese-speaking visitors to a Java exploit that drops an advanced persistent threat-related backdoor.

In a blog post, Kaspersky's Kurt Baumgartner explained that the attack itself is precisely targeted. An appended, embedded iframe redirects the Chinese-speaking visitors to a Java exploit that maintains a backdoor payload.

"The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version," he said. "At this point in time, it seems that the few systems attacked with this code are located in China and the U.S., although there could be more . . . Backdoors detected with the Swisyn verdict are frequently a part of APT-related toolchains, and this one most certainly is."

Watering Hole Attacks

Baumgartner said the Java exploit appears to attack the older CVE-2012-4681 vulnerability, which he called "a bit of a surprise." An actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class in August 2012 used it.

"The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case," he said.

"Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect," he added.

Baumgartner also noted that this threat actor has been quietly operating these sorts of watering hole attacks for at least a couple years along with the standard spearphishing campaigns against a variety of targets that include Tibetan groups.

Is it the Government?

Several security researchers declined to comment on the issue. We asked Rob Enderle, principal analyst at The Enderle Group, for his sense about what is going on. He told us this appears to be another example of governments using hackers to find out what their citizens are doing and attempting to eliminate dissention before it can emerge.

"Since the Dalai Lama is somebody the Chinese government isn't particularly fond of and since they would probably like to know who's visiting that site -- given the target -- you'd assume this is a Chinese government attack," Enderle said.

"You would think criminals that wanted to exploit individuals would probably target a site where rich people go," he added. "If you are a criminal organization would you really spend your time targeting the Dalai Lama's site?"

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.