Chinese Hackers Linked To Cyber-Espionage In Japan, India, Tibet

The so-called "Luckycat" campaign has been active since at least June 2011 and has been linked to 90 attacks that use malware tailored for each victim, security vendor Trend Micro said in a report released Friday.

"This illustrates that the attackers are both very aggressive and continually target their intended victims," the report said. "These are not smash-and-grab attacks, but constitute a campaign comprising a series of ongoing attacks over time."

The hackers targeted military research institutions and shipping companies in India; energy, engineering and aerospace entities in China and 30 computers of Tibetan activists. Trend Micro researchers traced the attacks to an e-mail address used to register a command-and-control server. They also mapped the address to a Chinese instant messaging screen name and from there to an online alias, "scuhkr."

The New York Times reported that it traced the alias to Gu Kaiyuan, a former graduate student at Sichuan University in Chengdu, China. The university receives government funding for computer network defense, the newspaper said. According to online records obtained by the Times, Gu is now apparently working for Tencent, a leading Internet portal company in China.

While studying at Sichuan University from 2003 to 2006, Gu wrote numerous articles about hacking under the alias "scuhkr," which is believed to stand for "Sichuan University hacker," according to the Times. The report found that "scuhkr" had recruited other university students for a network attack and defense research project at the university's Institute of Information Security in 2005.

The Times reached Gu at Tencent and asked him about the attacks. "I have nothing to say," he told the newspaper.

Security experts have said China will use people outside the government for hacking operations, which researchers call campaigns. Trend Micro found that malware used in Luckycat were also used in a campaign called "Shadownet,” an indication that there may have been some collaboration. Shadownet has also targeted Tibetan activists and the Indian government.

In both campaigns, e-mails tailored to the recipients are used to get them to click on an attachment that then infects the computer with malware, taking advantage of vulnerabilities in Microsoft Office and Adobe software. Once the malware connects to the hackers' server, additional code is installed to establish control over the system.

In the Luckycat campaign, e-mails sent to Japanese targets took advantage of the confusion following last year's tsunami, the report said. E-mail sent to Indian military institutions contained information on the country's ballistic missile defense program, while messages sent to Tibetan activist used the theme of self-sacrifice.

Security vendor Symantec uncovered the campaign two weeks ago, naming it Luckycat after the login name of one of the other attackers, according to the Times. Without knowing about Symantec's work, Trend Micro released a far more detailed report.