Google: Malware Attack Targets Vietnamese Mining Opposition
Google said in a blog post Tuesday that tens of thousands of computer users in Vietnam opposing a Chinese-backed bauxite mining effort became the victims of a cyberattack when they downloaded Vietnamese keyboard language software and possibly other legitimate software that was infected with malware.
The bauxite mining effort, which is sponsored by China, has fueled political tensions between Vietnamese activists and the Chinese government. However, Google did not specifically finger China as the source of the attacks.
McAfee researchers have since discovered that a botnet, which was identified while investigating Operation Aurora, took control of the Vietnamese users' computers by masquerading as software known as VPSKeys, which enables Windows to support the Vietnamese language. Vietnamese Windows users rely on VPSKeys to insert accents and the appropriate locations when using Windows applications.
Once users downloaded the malware, their computers were immediately linked to globally distributed command and control servers. The malware was then used to spy on the computers' owners as well as to launch distributed denial-of-service attacks aimed at squelching blogs and articles containing political dissent.
"While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes," Google said. "Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country."
McAfee Chief Technology Officer George Kurtz said in a company blog post that attackers probably initiated their attack by compromising the Web site of the Vietnamese Professional Society (VPS) and replacing the legitimate keyboard driver with a Trojan horse copy containing malware. The hackers then forwarded a socially engineered phishing e-mail to specific individuals linked to the mining opposition, which redirected them to the infected VPS Web site. The users subsequently downloaded the malware onto their machines instead of the VPSKeys software.
Kurtz said that researchers found about a dozen command and control systems operating the hijacked PCs, primarily being accessed from IP addresses in Vietnam.
"It's quite possible that [the botnet] could be controlled by someone connected to the mining interests, but we have no proof of that," said Dmitri Alperovitch, vice president of threat research at McAfee.
McAfee researchers said that the Vietnam botnet, which was later dubbed W32/VulcanBot, was likely first created in late 2009 but was unrelated to the Operation Aurora attacks launched on Google and other companies in January.
Meanwhile, Alperovitch said that while "not extremely sophisticated," the attack against Vietnamese dissidents indicates a growing trend of attacks launched for political and commercial purposes, citing incidents of cyberattacks on Estonia and Georgia after the Russian invasion.
"The interesting story here is this is a growing trend of these sorts of attacks beyond just the financial motive," Alperovitch said. "They're used by nation states but others as well for expressing their political opinions."
Google said that some antivirus vendors have already created signatures designed to block the malware. To prevent future attacks, the search engine giant recommends running antivirus as well as antispyware software from trusted vendors, while ensuring that all Web browser and operating system updates are installed.
"At a larger scale, we feel the international community needs to take cybersecurity seriously to help keep free opinion flowing," Google said.
Alperovitch added that in order to effectively prevent widespread malware attacks, security needed to be embedded into communications infrastructure.
"Education is important and could stop some of these lower-level, less sophisticated types of attacks. But we need to embed security into the communications fabric," he said. "By the time [an attack] gets to the end user, the game is over."