Just Enough to Do the Job: Targeted Attacks on Tibetans

I am pleased to announce a new Citizen Lab report, entitled “It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community.” The report is authored by the Citizen Lab’s Adam Hulcoop, Etienne Maynier, John Scott Railton, Masashi Crete-Nishihata, and Matt Brooks and can be found here: https://citizenlab.org/2016/11/parliament-keyboy/

In this report, the authors track a malware operation targeting members of the Tibetan Parliament over August and October 2016.  The operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of custom backdoor known as “KeyBoy.”

There are several noteworthy parts of this report:

First, this operation is another example of a threat actor using “just enough” technical sophistication to exploit a target.  A significant amount of resources go into a targeted espionage operation, from crafting of an exploit to its packaging and delivery to the intended target, to the command and control infrastructure, and more.  From the perspective of an operator, why risk burning some of these precious resources when something less sophisticated will do? Throughout the many years we have been studying targeted digital attacks on the Tibetan community, we have seen operators using the same old patched exploits because … well, they work.

Part of the reason these attacks work is that the communities in question typically do not have the resources or capabilities to protect their networks properly.  While the Tibetan diaspora has done a remarkable job educating their community about how to recognize a suspicious email or attachment and not open it (their Detach from Attachments campaign being one example) many of them are still reliant on un-patched operating systems and a lack of adequate digital security controls.  As Citizen Lab’s Adam Hulcoop remarked, “We found it striking that the operators made only the bare minimum technical changes to avoid antivirus detection, while sticking with ‘old day’ exploits that would not work on a patched and updated system.”

What goes for Tibetans holds true across the entire civil society space: NGOs are typically small, overstretched organizations; most have few resources to dedicate to doing digital security well.  As a consequence, operators of targeted espionage campaigns can hold their big weapons in reserve, put more of their effort into crafting enticing messages — into the social engineering part of the equation — while re-purposing older exploits like KeyBoy.  As Citizen Lab senior researcher John Scott Railton notes in a recent article, “Citizen Lab research has consistently found that although the overall technical sophistication of attacks is typically low, their social engineering sophistication is much higher.”  The reason is that civil society is “chronically under-resourced, often relying on unmanaged networks and endpoints, combined with extensive use of popular online platforms….[providing] a target-rich environment for attackers.”

The second noteworthy part of the report concerns the precision around the social engineering on the part of the operators. The attacks were remarkably well timed to maximize return on victims.  Just 15 hours after members of the Tibetan parliament received an email about an upcoming conference, they received another email with the same subject and attachment, this time crafted to exploit a vulnerability in Microsoft Office using KeyBoy.  This level of targeting and re-use of a legitimate document sent only hours before shows how closely the Tibetans are watched by their adversaries, and how much effort the operators of such attacks put into the social engineering part of the targeted attack.  With such persistence and craftiness on the part of threat operators, it is no wonder civil society groups are facing an epidemic of these type of campaigns.

Finally, the report demonstrates the value of trusted partnerships with targeted communities.  The Citizen Lab has worked with Tibetan communities for nearly a decade, and during that time we have learned a great deal from each other.  That they are willing to share samples of attacks like these with our researchers shows not only their determination to better protect themselves, but a recognition of the value of careful evidence-based research for their community.  By publishing this report, we hope that civil society, human rights defenders, and their sponsors and supporters can better understand the threat environment, and take steps to protect themselves.  

To that end, alongside the report, we are publishing extensive details and indicators of compromise in several appendices to the report, and hope other researchers will continue where we left off.

Read the report here: https://citizenlab.org/2016/11/parliament-keyboy/